GT500

Emsisoft Employee
  • Content Count

    12226
  • Joined

  • Days Won

    362

Everything posted by GT500

  1. If law enforcement is able to catch the criminals or otherwise gain access to their servers and release their private keys for use in decrypters, then we can add them to our database so that everyone can get their files back. Our recommendation is to save a backup of your encrypted files and keep it in a safe place in case decryption is possible at some point in the future. We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters: https://www.bleepingcomputer.com/ If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news: https://www.bleepingcomputer.com/feed/
  2. If law enforcement is able to catch the criminals or otherwise gain access to their servers and release their private keys for use in decrypters, then we can add them to our database so that everyone can get their files back. Our recommendation is to save a backup of your encrypted files and keep it in a safe place in case decryption is possible at some point in the future. We also recommend keeping an eye on BleepingComputer's newsfeed, as they will usually report on new developments with ransomware decrypters: https://www.bleepingcomputer.com/ If you have an RSS feed reader, then they also have an RSS feed so that you don't have to manually check for news: https://www.bleepingcomputer.com/feed/
  3. a2start.exe needs to be exited and relaunched in order to stop the high CPU usage, and that's the quickest way to do it without turning the self-protection off. We're still investigating the exact cause, but we're getting closer to figuring it out. Hopefully it won't be too much longer.
  4. At the moment I don't think we have plans to add such a feature, however please keep in mind that we don't normally talk about or announce new features until we have a beta available for everyone to try. It's more that we don't think it's any more effective than our Behavior Blocker. Keep in mind that Microsoft already implemented such a feature, and yet more computers with no third-party anti-virus software installed are getting hit with ransomware.
  5. If Firefox wasn't running when the crashes happened then it's most likely not involved in them. Any MEMORY.DMP files? That's what we'll need more than anything else to figure out what happened. Debug logs probably wouldn't hurt either, but you'd have to let the crash happen again to get those.
  6. Nothing. I was just told that a symlink issue in EAM was reported and fixed some time ago, so EAM's cleaning engine won't follow symlinks (meaning it won't restore to them, or quarantine/delete from them). https://bogner.sh/2017/11/local-privilege-escalation-in-emsisoft-anti-malware-by-abusing-ntfs-directory-junctions-avgater/ Edit: In case there's any confusion about my statement, it means EAM wasn't vulnerable to this newly reported symlink issue.
  7. Files don't start "online" then then "go offline". You either have an online ID or an offline ID, and that doesn't change.
  8. The STOP/Djvu ransomware is easy to remove, and can be detected by most Anti-Virus software. We have a free scanner called "Emsisoft Emergency Kit" you can use if you'd like: https://www.emsisoft.com/en/home/emergencykit/ After that, try running our STOP/.Djvu decrypter and let me know what ID it says your files have: https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu More information is available at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  9. What does the decrypter say about files it can't decrypt?
  10. This is a newer variant of STOP/Djvu. If you have an offline ID, then once we can find the decryption key for this variant and add it to our database you should be able to recover your files. However, if you have an online ID (which is more likely) then it will not be possible to recover your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ This is a new enough variant that we wouldn't have the private key yet. For those with an offline ID, I recommend running the decrypter once every week or two so that you can see when we've had a chance to add it to our database.
  11. CryptoSearch was made by the same guy who maintains ID Ransomware, however ID Ransomware is more accurate at identification of ransomware (CryptoSearch is just intended to find files for backup). I recommend using ID Ransomware instead of CryptoSearch for identification purposes: https://id-ransomware.malwarehunterteam.com/ Neither are decryptable. My recommendation is to back up your encrypted files in case decryption becomes possible in the future.
  12. That's an online ID. That doesn't work with newer variants of STOP/Djvu.
  13. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  14. You can submit file pairs at the following link: https://decrypter.emsisoft.com/submit/stopdjvu/ More information about the STOP/Djvu decrypter is available at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  15. This is a newer variant of STOP/Djvu, and your ID is an online ID, so there is currently no way to decrypt your files. There is more information at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
  16. I've asked to verify which ransomware was used.
  17. We only have the information you've sent us thus far, and we wouldn't have keys for anything you've not tried file pairs for yet.
  18. The issue appears to be that your files weren't all encrypted by the same key. Based on what you've sent us thus far, it looks like your files were encrypted with at least three different keys. Fortunately different keys are used on different files, so you should be able to decrypt your files, it's just going to take a lot more time than normal. Go ahead and try a file pair, run the decrypter, and see what it decrypts. After than, find another file pair to try (something that wasn't decrypted), and use it with the decrypter and see what it decrypts, then try that over and over again until you've managed to decrypt everything.
  19. The file you used for your file pair has some alterations at the end of the file, and may not work as a proper file pair. Keep trying until you find one that works, and keep in mind that you'll need a separate file pair for every type of file you want to decrypt.
  20. I would believe BitDefender's scan engine detected the EICAR signature because they've already fixed this.
  21. Another question; did either of you have Firefox open when the crashes happened? It may be a long shot, but @stapp forwarded me this link, so I figured it was worth asking just in case: https://www.wilderssecurity.com/threads/mozilla-firefox.388154/page-35#post-2917135
  22. Based on the e-mail address used and the extension format this does appear to be Matrix: https://id-ransomware.malwarehunterteam.com/identify.php?case=8be319513de6b4594b6c1c8bf7ece0617d578c89 Unfortunately I don't think there's any known way to decrypt files that have been encrypted by the Matrix ransomware.
  23. We're able to debug it internally. It's just taking us some time to figure out what's going on due to how unpredictable reproducing the issue is. When you sometimes have to wait for days or even a week to know if the issue is still going to happen, it really slows things down. We agree that this issue needs to be fixed. I've been helping collect debug information whenever possible to aid our developers in figuring this out, so hopefully this won't be an issue for too much longer. For now, when it happens, simply right-click on the little Emsisoft icon in the lower-right corner of the screen (to the left of the clock) and select Shut down protection. After that hold down the Ctrl and Shift keys on your keyboard and press Esc to open the Task Manager, click More details in the lower-left, switch to the Details tab, and wait until a2service.exe disappears from the list. Next you can re-open Emsisoft Anti-Malware from the Start Menu, and the CPU usage will be normal. That should save you the trouble of needing to restart your computer to fix it.
  24. @haydn and @MJmusicguy does the following file exist on your computers? C:\Windows\MEMORY.DMP Would it be possible to compress/archive this file with something like 7-Zip or WinRar and send it to me privately? If you have to use a third-party file sharing service, then please use a password when compressing the file, and send me the password privately.