Jump to content

GT500

Member
  • Posts

    14249
  • Joined

  • Days Won

    456

Everything posted by GT500

  1. A change of programming language would more than likely invalidate any existing signatures. That just means we write new signatures for the newer variants that are not detected, and if someone happens to stumble upon any newer variants in the wild that Emsisoft Anti-Malware is not yet able to detect with signatures then the Behavior Blocker should quarantine any unknown programs or scripts that attempt to do anything potentially malicious.
  2. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  3. I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them.
  4. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  5. We don't need any more samples. This particular ransomware has been around for some time now, and it's encryption is understood fairly well. The issue is that they switched to using RSA keys almost 2 years ago, and once they did that decryption without the private key became virtually impossible (it would take thousands of years even for a supercomputer to brute force).
  6. This is a newer variant of STOP/Djvu. Fortunately your ID is an offline ID, however we don't yet have the private key for it. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  7. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  8. This was an issue on Windows Vista. Now that we no longer need to support Vista, it shouldn't be a problem in the majority of cases.
  9. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  10. First, please allow me to apologize for taking so long to reply. There can be issues if you have more than one profile in Firefox. Try installing the Emsisoft Browser Security extension from the Firefox browser add-ons page, and note that Emsisoft Anti-Malware may have trouble detecting that the extension is installed if you have more than one profile in Firefox. If you want more information about how the extension works, or links for other browsers, then you can find that here.
  11. Yes, they do provide the private keys needed to decrypt your files if you pay them, along with a decrypter to use with the private keys.
  12. In theory, as long as it hasn't been overwritten. You can try file undelete software to see if anything can be recovered off of an old drive that data was moved from before it was encrypted, however keep in mind that ransomware may attempt to make old deleted data unrecoverable in order to increase the likelihood that people will pay.
  13. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ Tradução fornecida pelo Google: Esta é uma variante mais recente do STOP / Djvu. Se você tiver um ID off-line, assim que pudermos encontrar a chave de descriptografia para esta variante e adicioná-la ao nosso banco de dados, você poderá recuperar seus arquivos. No entanto, se você tiver uma ID online (o que é mais provável), não será possível recuperar seus arquivos. Há mais informações no seguinte link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ Tradução fornecida por DeepL: Esta é uma variante mais recente de STOP/Djvu. Se tiver um ID offline, então uma vez encontrada a chave de desencriptação para esta variante e adicionada à nossa base de dados, deverá ser capaz de recuperar os seus ficheiros. No entanto, se tiver um ID online (o que é mais provável), então não será possível recuperar os seus ficheiros. Há mais informações no seguinte link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  14. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  15. Actually our exclusions support wildcards, so a path like the following should work: %TEMP%\????????-????-????-????-????????????\pro*.exe The question marks are a form of wildcard and each takes the place of a single character, unlike the asterisk which will match with more than one character at the same time. Assuming that the number of characters is always the same then it should work just fine. To add that exclusion, if you're not using the management console via MyEmsisoft, then just add a monitoring exclusion for a program (it doesn't matter which one), then click on the new rule to edit it, and paste the example exclusion I gave you above to replace it. Once you click anywhere outside of the list of exclusions it will save and apply your changes.
  16. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  17. It only works on newer variants if it has a private key for the encrypted files. Since there is a different private key for every ID, and it isn't possible to the private keys in most cases, it's usually impossible to decrypt files that have been encrypted by STOP/Djvu. Due to how the ransomware encrypts files, some types of files can be repaired as they are only partially encrypted, however only certain file formats are tolerant of missing data and thus those that aren't can't be recovered in this way. The article "About the STOP/Djvu Decrypter" I've linked to previously covers this along with what software can help with repairing files.
  18. It would be OK if you weren't hijacking someone else's topic. I'll move your post and mine into a new topic once I've finished typing it. You will have to find the new topic yourself though, as apparently it's a violation of GDPR for me to use the "Log in as" feature on the forums to log in as you and follow the new topic for you. We remove any duplicate signatures from our own database. There's no good reason to keep a signature for something in our database if BitDefender's engine also detects it, and doing so bloats the database with redundant signatures, so every now and then we go through the process of checking for and removing duplicate signatures as part of regular database optimizations. This will probably bias the detections in favor of the BitDefender engine, since its our own engine that we're removing the duplicate signatures from. We don't make our budget public, and quite frankly I don't think our management has ever had a company meeting where they let our employees know where we spend our money either, so all I can say is that if you save a ridiculous amount of money by dropping out of testing then it might be able to pay a extra salary or two. We fix security issues in EAM on a regular basis, and we update the protection mechanisms regularly as well. We just don't make a big deal about it when we do, because those are "under the hood" changes that customer can't see (at least as long as the changes don't introduce a new bug that causes some customers to contact our support). We've never listed the majority of changes in our release notes. That's nothing new, as we've always limited the release notes to just the major things that customers were waiting for us to fix. We fill in with "minor tweaks and fixes" just to let those who read it know that we did more than the one or two other things listed in the blog posts. Our history of product update announcements disagrees with you: https://blog.emsisoft.com/en/category/emsisoft-news/product-updates/ It literally costs us nothing to have an extra subforum, unless we need to pay someone to monitor it and reply to topics in it. We already had a feedback subforum in the past. Most of the topics were never replied to, as support representatives can really only thank you for your feedback and promise that it will be considered, and while members of the management team would read the feedback they didn't usually have the time to reply to most of it. Our management team prefers feedback to be sent via to a dedicated e-mail address, that way they receive all of it in a place that's easy for them to access and review without leaving forum topics sitting there appearing to have been ignored. The management console happens to be a rather important feature, not only for corporate customers and MSP's, but also for home users who want to be able to manage their devices quickly and easily from anywhere.
  19. This is more than likely a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  20. Its driver can't be loaded without administrator rights, however if you're using the standalone version (as opposed to the version bundled with Emsisoft Emergency Kit) then it should be possible to install the service with the /s parameter from an elevated Command Prompt, and then run it from a Command Prompt without admin rights as the service would handle everything in the background. Please note however that I haven't tested this recently, and functionality with regards to admin rights may have changed.
  21. The ID is a code that identifies your computer so that the criminals know what private key they should send you if you pay the ransom. I can't remember exactly what that code is, however I do know it won't help you decrypt your files. If anything on your computer could help you decrypt your files, then our decrypter would be able to do it for you. No, it's just a list of ID's that have been assigned to files on your computer. It's important for the ransomware to document this so that the criminals know if you need to be sent more than one private key when you pay the ransom. Newer variants of the STOP/Djvu ransomware uses RSA keys, which means there is a "public key" for encrypting files, and a "private key" for decrypting them. There is nothing that can be learned from the public key that could help you decrypt your files, as it is specifically designed to be publicly accessible without revealing how to decrypt files it has been used to encrypt.
  22. Correct. Our recommendation is to save a backup of your encrypted files and keep it in a safe place in case decryption is possible at some point in the future. We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters: https://www.bleepingcomputer.com/ If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news: https://www.bleepingcomputer.com/feed/ The STOP/Djvu ransomware is only known to come from pirated downloads. In general, if you download anything from a source that you don't completely trust, it's best to open it in a virtual machine or a sandbox just to be on the safe side.
  23. Please see the information posted at the following link by Fabian Wosar: https://www.bleepingcomputer.com/forums/t/561970/new-pclock-cryptolocker-ransomware-discovered/page-22#entry3593039
×
×
  • Create New...