GT500

Emsisoft Employee
  • Content Count

    11223
  • Joined

  • Days Won

    323

Everything posted by GT500

  1. Offline ID's and public keys are used by the ransomware when it starts encrypting your files in cases where it was unable to connect to its command and control servers and ask for a unique ID and RSA keys to be generated for your files. If you have an online ID then your ID and the public key used to encrypt your files was randomly generated by the server operated by the criminals, and the only way to decrypt your files is with the private key that is in the possession of the criminals (we don't have access to those). What version of the decrypter do you have? Version 1.0.0.3 had a bug that caused it to always say "Old Variant", and this was fixed in version 1.0.0.4. Also, what was added to the end of all your file names? .nelasod? If so, you just need to upload file pairs via our online submission form. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  2. That is one of the earliest of the old variants of the STOP/Djvu ransomware. I'm not certain what the offline ID was for that one (it's early enough that I don't think offline ID's ended in "t1" for every variant), however the odds are it's an online ID. You'll probably need to supply file pairs via our online submission form in order to help the decrypter "learn" how to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  3. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  4. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  5. We just added the private key for .reha offline ID's on Thursday, which is why it suddenly was able to decrypt your files. Thanks for letting us know that it worked. 👍
  6. It could mean some server-side trouble, or perhaps someone was working on something when you tried the decrypter. Give it another try, and I'll see if there are any known issue with the server right now.
  7. Emsisoft Anti-Malware should be enough protection. If you want you can also use a good ad blocker in your web browser (such as uBlock Origin) and of course the Emsisoft Browser Security extension for your web browser (Emsisoft Anti-Malware will recommend it when you open Firefox, Google Chrome, or Microsoft Edge).
  8. It might be easier to just follow Microsoft's instructions to reset your HOSTS file back to default: https://support.microsoft.com/en-us/help/972034/how-to-reset-the-hosts-file-back-to-the-default
  9. All of these are newer variants of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  10. I recommend starting with logs from FRST. You can find instructions for downloading and running FRST at the following link: https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ It's not digitally signed, so some security solutions will try to prevent it from running or delete it while it's checking system information for its logs, however it is safe.
  11. It looks like ID Ransomware told you this was Dharma. The detection should be accurate, and there's no known way to decrypt files that have been encrypted by Dharma.
  12. This is not an old variant. This is actually a newer variant, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ There was a bug in version 1.0.0.3 of the decrypter that caused it to always say "Old Variant". This has been fixed in version 1.0.0.4 of the decrypter. Please note that this did not effect decryption in any way.
  13. Just be sure to make a backup of your encrypted files before you do anything, that way you'll have them in a safe place in case anything happens to them before you can decrypt them.
  14. .topi is new enough that we probably don't have the private key for its offline ID yet. As Kevin mentioned, if you have an offline ID then we recommend running the decrypter every week or two to see when we add the private key.
  15. That's an older variant of STOP/Djvu, however since you have an online ID you'll need to supply file pairs via our online submission form to help the decrypter "learn" how to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  16. I figured it would be nice to know that the issue wasn't going to cause any problems.
  17. Emsisoft Anti-Malware does not block access to USB devices of any kind. Let's try getting a log from FRST, and see if it shows the cause of the issue. You can find instructions for downloading and running FRST at the following link: https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: When FRST checks the Windows Firewall settings, Emsisoft Anti-Malware's Behavior Blocker will quarantine it automatically. This can be avoided by clicking "Wait, I think this is safe" in the notification that is displayed while FRST is scanning.
  18. Do you have any files of these types that you downloaded originally, and could simply redownload to use for file pairs? Is it also possible that you have copies of some of these types of files on removable media (USB flash drives, CD's, etc) or perhaps even you phone? Could friends or family have copies of any of the files that were encrypted on your computer?
  19. I've mentioned this to QA. BTW: The NTFS file system doesn't appear to have a limit to the number of files that can be in a folder, and the maximum number of files that can be on an NTFS volume is 4,294,967,295. http://technet.microsoft.com/en-gb/library/bb457112.aspx
  20. Were you connected to the Internet while running the decrypter? Was there security/Anti-Virus/Firewall software on the computer that could have been blocking it from accessing the Internet?
  21. If you have encrypted an original copies of each file you'd like to submit, then you can do so at the following link: https://decrypter.emsisoft.com/submit/stopdjvu/
  22. While this is technically a possibility, we do recommend making a backup of your encrypted files so that you can keep them somewhere safe just in case a method to decrypt them is made available some time in the future.
  23. Since it's an offline ID then, assuming someone who also has an offline ID for .kodc pays the ransom and is kind enough to donate their decypter to us, we'll be able to add the private key for decryption of files with the offline ID at some point in the future. My recommendation is to run the decrypter once every week or two to see if we've been able to add it the private key.
  24. It's an online ID. Unfortunately I don't think there's anything we'll be able to do for online ID's unless we can somehow obtain the database of private keys kept by the criminals who made/distributed the ransomware.
  25. There seem to be very few reports of a ransomware using .dante as a file extension, and it does not appear to have been identified yet. Go ahead and attach copies of the ransom note and an encrypted file to a reply so that we can take a look at it.