quietman7

Visiting Expert
  • Content Count

    56
  • Joined

  • Last visited

Community Reputation

0 Neutral

About quietman7

  • Rank
    Active Member

Profile Information

  • Gender
    Not Telling
  • Location
    Virginia

Recent Profile Visitors

3047 profile views
  1. You need to post the required information (i.e. Personal ID, Extension of files & MAC (physical) Address of the infected computer) here for Demonslay335 (Michael Gillespie) to archive your information.
  2. Any files encrypted with the .kiratos extension are related to a newer variant of STOP (DJVU) Ransomware. Please read the first page here for a summary of this ransomware, it's variants and possible decryption solutions with instructions AND the ***IMPORTANT: @ ALL VICTIMS.... note at the top. "Before asking questions...PLEASE READ these Frequently Asked Questions (FAQs)." You need to post the required information (i.e. Personal ID, Extension of files & MAC (physical) Address of the infected computer) in the above topic if STOPDecrypter is unable to decrypt your files so the developer, Demonslay335 (Michael Gillespie), can archive your information in case a future solution becomes available.
  3. Any files encrypted with the .kiratos extension are related to a newer variant of STOP (DJVU) Ransomware. Please read the first page here for a summary of this ransomware, it's variants and possible decryption solutions with instructions AND the ***IMPORTANT: @ ALL VICTIMS.... note at the top. "Before asking questions...PLEASE READ these Frequently Asked Questions (FAQs)." You need to post the required information (i.e. Personal ID, Extension of files & MAC (physical) Address of the infected computer) in the above topic if STOPDecrypter is unable to decrypt your files so the developer, Demonslay335 (Michael Gillespie), can archive your information in case a future solution becomes available.
  4. Any files encrypted with the .hrosas extension are related to a newer variant of STOP (DJVU) Ransomware. Please read the first page here for a summary of this ransomware, it's variants and possible decryption solutions with instructions AND the ***IMPORTANT: @ ALL VICTIMS.... note at the top. "Before asking questions...PLEASE READ these Frequently Asked Questions (FAQs)." You need to post the required information (i.e. Personal ID, Extension of files & MAC (physical) Address of the infected computer) in the above topic if STOPDecrypter is unable to decrypt your files so the developer, Demonslay335 (Michael Gillespie), can archive your information in case a future solution becomes available.
  5. ID Ransomware will provide different results according to what is submitted. Submitting an encrypted file with a common extension used by other ransomware usually results in a false positive. That is why as I noted above, it is important to submit both encrypted files and ransom notes together as well as any contact email addresses or hyperlinks provided by the criminals. The more information, the more accurate the results.
  6. As IDR indicates...currently there is not enough information about MegaLocker. I am not aware of any method to decrypt files encrypted by this ransomware without paying the ransom and obtaining the private keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. For now you can opt-in with IDR to be emailed if any further developments are made for this particular ransomware by clicking the link under Please check back later. In cases where there is no free decryption tool, restoring from back up is not a viable option and file recovery software does not work, the only other alternative to paying the ransom (if you can even reach the criminals to pay) is to backup/save your encrypted data as is and wait for a possible solution...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution.
  7. The link to your IDR results indicates you only submitted a sample of an encrypted file with the .crypted extension which is very generic and used by several different ransomwares to include Yoshikada Decryptor (GlobeImposter variant), Nemucod, and MegaLocker. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. Submitting any contact email addresses or hyperlinks provided by the criminals may also be helpful with identification.
  8. ID Ransomware should recognize .ITLOCK as a Matrix Ransomware variant which is not decryptable without paying the ransom and obtaining the private keys from the criminals who created the ransomware.
  9. If you need individual assistance only with removing the malware infection, there are advanced tools which can be used to investigate and clean your system. Please follow the instructions here for assistance by Emsisoft Experts. Of course you can always choose to do a reinstall of Windows (clean install) instead but it never hurts to try a clean-up first with trustworthy security scanning tools if that is something you want to consider. The process of reinstalling Windows (clean install) will erase all the data on your computer to include your files, any programs you installed and the settings you on your computer. It essentially will return the computer to the same state it was when you first purchsed and set it up. Before attempting a reinstall or factory restore (reset) of Windows it is recommended to create a copy or image of the entire hard drive. Doing that allows you to save the complete state of your system (and all encrypted data) including encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed in the event that a free decryption solution is developed in the future. Imaging the drive backs up everything related to the infection including encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed if a decryption solution is ever discovered. Alternatively, you can remove the hard drive, store it away and replace it with a new hard drive and a fresh install of Windows. First steps when dealing with ransomware I’ve been infected with ransomware! What should I do? What to Do If You're Infected by Ransomware
  10. The extension looks random. There are several different ransomware infections which append a random 4, 5, 6, 7, 8, etc character extension to the end of all affected filenames to include CTB-Locker, Crypt0L0cker, Magniber, GandCrab V5+, CryptON (Cry9, Cry36, Cry128, Nemesis), Skull, MrDec (Mr.Dec), SynAck, Maktub Locker, Alma Locker, Princess Locker, Princess Evolution, Locked-In, Mischa, Goldeneye, Al-Namrood 2.0, Cerber v4x/v5x and some Xorist variants. The best way to identify the different ransomwares that use "random character extensions" is the ransom note (including it's actual name and contents), samples of the encrypted files, possible filemarkers, the malware file itself responsible for the infection and information related to any email addresses or hyperlinks provided by the cyber-criminals to request payment. You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation of the infection. ID Ransomware can identify ransomwares with random extension and more accurately identifies ransomwares by filemarkers if applicable. Based on infection rates we see, you are most likely infected with a variant of GandCrab V5. GandCrab V5 (V5.0.1) will have a random 5 character extension (i.e. .fbkdp .ibagx .qikka) appended to the end of the encrypted data filename and leave files (ransom notes) named [random extension]-DECRYPT.html (i.e. qikka-DECRYPT.html, eiuhtxjzs-DECRYPT.html). GandCrab V5.0.2 and GandCrab V5.0.3 will have a random 5-9 character extension (i.e. .fnxfavh, .eiuhtxjzs, .ilrkdszxe) appended to the end of the encrypted data filename and leave files (ransom notes) named [random extension]-DECRYPT.html (i.e. fnxfavh-DECRYPT.html, eiuhtxjzs-DECRYPT.html). GandCrab V5.0.4+ will have a random 5-10 upper-case character extension (i.e. .XMMFA, .LUKIZQW, .TKKLKM, .PFBRBHHEVM) appended to the end of the encrypted data filename and leave files (ransom notes) named [random upper-cased extension]-DECRYPT.txt (i.e. LUKIZQW-DECRYPT.txt, TKKLKM-DECRYPT.txt). GandCrab V5.1+ will have a random 5-10 upper-case character extension appended to the end of the encrypted data filename. GandCrab V5.2, like its predecessors, will also have a random 5-10 character extension appended to the end of the encrypted data filename. If confirmed, Bitdefender released a free decrypter for GandCrab V1, V4 and up through V5.1+ recognizable by their extensions....GDCB, .KRAB and random 5-10 characters (i.e. .fbkdp .ibagx .qikka, .eiuhtxjzs9, .LUKIZQW, .TKKLKM, .PFBRBHHEVM) respectively. BDGandCrabDecryptTool Requirements, download and How to use the Tool Decryption Tools: GandCrab (V1, V4 and V5 up to V5.1 versions) alternate download How to use the Bitdefender GandCrab Decryption Tool Manual Files encrypted by GandCrab V5.2 are not decryptable without paying the ransom and obtaining the private keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities like previous versions. The criminals released V5.2 after Bitdefender updated it's decrypter for V5.1 so it will not work on this latest version. Bitdefender confirmed that there is no decryption tool for GandCrab V5.2. GandCrab Decrypter Available for v5.1, New 5.2 Variant Already Out
  11. STOPDecrypter was updated to include support for the .kroput variant if you were hit by the OFFLINE KEY - "upOacGl1yOz9XbrhjX9UR2M0j8i03YwVB0pXr1t1" as explained in here. Please read the instructions here (including what to do if the decrypter does not work). Demonslay335 (Michael Gillespie) is the creator of STOPDecrypter. He is a trusted Security Colleague (Expert) here at Emsisoft, a ransomware researcher/analyst with the MalwareHunterTeam, the creator of ID Ransomware (IDR).
  12. The .promorad2 extension is a newer variant of STOP (DJVU) Ransomware and ID Ransomware should confirm the infection. STOPDecrypter has been updated to include support for the .promorad2 variant if you were hit by the OFFLINE KEY - "0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDosJ24DmXt1" as explained in here.
  13. The extension looks random. There are several different ransomware infections which append a random 4, 5, 6, 7, 8, etc character extension to the end of all affected filenames to include CTB-Locker, Crypt0L0cker, Magniber, GandCrab V5+, CryptON (Cry9, Cry36, Cry128, Nemesis), Skull, MrDec (Mr.Dec), SynAck, Maktub Locker, Alma Locker, Princess Locker, Princess Evolution, Locked-In, Mischa, Goldeneye, Al-Namrood 2.0, Cerber v4x/v5x and some Xorist variants. The best way to identify the different ransomwares that use "random character extensions" is the ransom note (including it's actual name and contents), samples of the encrypted files, possible filemarkers, the malware file itself responsible for the infection and information related to any email addresses or hyperlinks provided by the cyber-criminals to request payment. As already noted, you can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation of the infection. ID Ransomware can identify ransomwares with random extension and more accurately identifies ransomwares by filemarkers if applicable. Your attachments indicates you are dealing with GandCrab V5.2 which is not decryptable without paying the ransom and obtaining the private keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities like previous versions. The criminals released V5.2 after Bitdefender updated it's decrypter for V5.1 so it will not work on this latest version. Bitdefender confirmed that there is no decryption tool for GandCrab V5.2. GandCrab Decrypter Available for v5.1, New 5.2 Variant Already Out
  14. Files encrypted with the .kroput extensions is the newest variant of STOP (DJVU) Ransomware. You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the malware developer to ID Ransomware (IDR) for assistance with identification and confirmation of the infection. This is a service that helps identify what ransomware may have encrypted your files. Please read here for a summary of this infection, it's variants and possible decryption solutions with instructions (including what to do if the decrypter does not work).
  15. Any files that are encrypted with Dharma (CrySiS) Ransomware will have an <id>-<id with 8 random hexadecimal characters>.[<email>] followed by one of its many different extensions appended to the end of the encrypted data filename as explained here . The .ETH extension is one of the newest Dharma (CrySiS) variants. These are a few examples. <filename>.<extension>.id-A04EBFC2.[[email protected]].dharma <filename>.<extension>.id-480EB957.[[email protected]].wallet <filename>.<extension>.id-EB214036.[[email protected]].zzzzz <filename>.<extension>.id-5FF23AFB.[[email protected]].onion <filename>.<extension>.id-30B3DDC1.[[email protected]].arena <filename>.<extension>.id-EE6A4622.[[email protected]].adobe <filename>.<extension>.id-B4BCE79D.[[email protected]].ETH Dharma (CrySiS) will leave files (ransom notes) with names like README.txt, README.jpg, Hello my vichtim.txt, Your personal data are encrypted!.txt, FILES ENCRYPTED.txt, Files encrypted!!.txt, info.hta. ID Ransomware should confirm the infection. Unfortunately, there is no known method at this time to decrypt files encrypted by any of the newer variants of Dharma (CrySiS), including the .ETH variant, without paying the ransom and obtaining the private keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities.