GT500

Emsisoft Employee
  • Content Count

    12835
  • Joined

  • Days Won

    386

Everything posted by GT500

  1. We don't generally recommend relying on free protection, or protection built in to the Operating System. You can try our Emsisoft Anti-Malware if you'd like, or another Anti-Virus software, but we do recommend paid protection over free protection.
  2. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  3. This is a newer variant of STOP/Djvu. Fortunately your ID is an offline ID, however we don't yet have the private key for it. I recommend running the decrypter once every week or two so that you can see when we've been able to add the private key for your variant. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  4. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  5. He's either a criminal (either a criminal involved with the ransomware or a scam artist), or he's one of those who pays the ransom for you and then overcharges you for it. Either way my recommendation is not to pay him anything, and to cease all communication with him.
  6. If law enforcement is able to catch the criminals or otherwise gain access to their servers and release their private keys for use in decrypters, then we can add them to our database so that everyone can get their files back. Until something like that were to happen, there's nothing we can do about online ID's. Our recommendation for now is to save a backup of your encrypted files and keep it in a safe place in case decryption is possible at some point in the future. We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters: https://www.bleepingcomputer.com/ If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news: https://www.bleepingcomputer.com/feed/
  7. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  8. @jaffar we never actually got a sample of the .rote variant of STOP/Djvu, so we don't have its offline ID on file. Could you attach a copy of the encrypted file to a reply that our decrypter says has an offline ID? The Word document you attached to your first post has an online ID (q6OxUk3VDgW4BqrccLHj9q406UixL5m64FmWEkRP) and thus isn't going to be decryptable.
  9. All of those use multiple connections as well, so that's why you're seeing the high CPU usage there. Here's screenshots of my iperf test, which (as far as I know) uses only a single connection. Note that I was also remote connected to the system I was testing from via NoMachine, which was using up some bandwidth and CPU time as well.
  10. Also @pkolasa and @tox1c90 it might be helpful if you could post your FDM settings and a download link we could use to reproduce this with. You can send them in a private message if you prefer.
  11. FYI: One of our developers says that the only overhead our WFP driver introduces is when new connections are created, so it's possible the download manager that's being used is creating too many connections while attempting to download files. @pkolasa and @tox1c90 can either of you confirm if you're able to reduce the number of connections the download manager opens per file, and whether or not doing so effects the CPU usage?
  12. If your license key is already registered to your account, then you don't need to register it again. Did you try logging in to your MyEmsisoft account in Emsisoft Anti-Malware? Did it activate when you did so?
  13. It looks like AMD processors based on Zen 2 also have this feature, however I have read accounts of measurable performance reductions with Hyper-V turned on (not HVCI since Win 10 2004 wasn't out yet), however that could be due to differences in AMD's implementation or perhaps even just issues with the version of AGESA that came with the BIOS on the motherboards of those reporting the performance issues (AMD CPU performance can vary from one version of AGESA to the next). Anyway, I'll see if I can reproduce this CPU usage issue on Win 10 1909 using iperf to simulate a gigabit download from my router. I'll be testing it on an AMD Ryzen 7 3800X rather than an Intel though.
  14. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  15. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  16. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  17. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  18. I'm not aware of any cases of files being stolen with the STOP/Djvu ransomware, however it's still entirely possible for them to alter tactics and do something like that. Several ransomwares that have been targeting businesses have already started stealing data for use as blackmail/extortion. Of course, there's always the possibility that the computer was infected by other things as well, increasing the likelihood of data theft. Absolutely. The STOP/Djvu ransomware uses the Azorult trojan to steal passwords, so change any passwords you use.
  19. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  20. This is a newer variant of STOP/Djvu. Since your ID is an online ID there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  21. Unfortunately that's the case with the majority of ransomware infections these days. Just in case this infection was due to RDP (Remote Desktop) compromise, I'll paste some steps below for getting started trying to prevent future intrusions. First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit. If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts. Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions). I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online. When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.
  22. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  23. OK, we do not have the private key for .rote's offline ID. I assume this is the key you're talking about? https://pastebin.com/eF3vEZLc
  24. That usually means it can't find any encrypted files. Try checking a single file, and see if it starts faster.