quietman7

Visiting Expert
  • Content Count

    32
  • Joined

  • Last visited

Community Reputation

0 Neutral

About quietman7

  • Rank
    Member

Profile Information

  • Gender
    Not Telling
  • Location
    Virginia

Recent Profile Visitors

2842 profile views
  1. quietman7

    .[[email protected]].phobos INFECTION

    Unfortunately, there is no known method that I am aware of to decrypt files encrypted by Phobos Ransomware without paying the ransom and obtaining the private keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. If feasible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time.
  2. quietman7

    djvur

    Update: Demonslay335 (aka Michael Gillespie), a ransomware analyst with the MalwareHunterTeam, advises victims of the newer .djvu, .djvuu, .udjvu, .djvuq, .uudjvu, .djvus, .djvur, .djvut, .djvup, .djuvq, .pdff, .tro and .tfude STOP Ransomware variants to send their ransom note, MAC address and an encrypted and original file pair to kNN for possible future decryption of their data...see these instructions. You can use any third-party sharing site (Google Drive, OneDrive, DropBox SendSpace, Mega, etc.) to send the file pair and provide a link in your PM. However, this is not a guarantee of decryption.
  3. quietman7

    infected with encrypted files.

    Update: Demonslay335 (aka Michael Gillespie), a ransomware analyst with the MalwareHunterTeam, advises victims of the newer .djvu, .djvuu, .udjvu, .djvuq, .uudjvu, .djvus, .djvur, .djvut, .djvup, .djuvq, .pdff, .tro and .tfude STOP Ransomware variants to send their ransom note, personal ID found in the ransom note, MAC address and an encrypted and original file pair to member kNN for possible future decryption of their data (see here). Victims need to follow these instructions when sending messages to kNN...be aware that time is an important factor and this is not a guarantee of decryption. You can use a third-party sharing site (Google Drive, OneDrive, DropBox SendSpace, Mega, etc.) to send the file pair and provide a link in your PM.
  4. quietman7

    .lost ransomware

    Did you find any ransom notes and if so, what is the actual name of the ransom note? Can you provide the ransom note contents? Did the cyber-criminals provide an email address to send payment to? If so, what is the email address? Did you submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation of the infection? This is a service that helps identify what ransomware may have encrypted your files, whether it is decryptable and then attempts to direct you to an appropriate support topic where you can seek further assistance. ID Ransomware can identify ransomwares which adds a prefix instead of an extension and more accurately identifies ransomwares by filemarkers if applicable. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. Submitting any contact email addresses or hyperlinks provided by the criminals may also be helpful with identification.
  5. quietman7

    djvur

    Files encrypted by newer STOP Ransomware variants .djvu, .djvuu, .udjvu, .djvuq, .uudjvu, .djvus, .djvur, .djvut, .djvup, .djuvq, .pdff, .tro and .tfude all leave a ransom note named _openme.txt as noted here by Michael Gillespie (aka Demonslay335). Unfortunately, there is no known method at this time to decrypt files encrypted by these new variants without paying the ransom. If feasible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time. Ignore all Google searches which provide links to bogus an d untrustworthy removal/decryption guides.
  6. quietman7

    infected with encrypted files.

    Files encrypted by newer STOP Ransomware variants .djvu, .djvuu, .udjvu, .djvuq, .uudjvu, .djvus, .djvur, .djvut, .djvup, .djuvq, .pdff, .tro and .tfude are not decryptable at this time without paying the ransom. These new variants all leave a ransom note named _openme.txt as noted here by Michael Gillespie (aka Demonslay335). If feasible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time. Ignore all Google searches which provide links to bogus an d untrustworthy removal/decryption guides.
  7. Thanks for the update Fabian. For those who missed it...Christian Mairoll posted Chip vulnerabilities and Emsisoft: What you need to know
  8. quietman7

    nemesis cry36

    You most likely are dealing with a dual ransomware infection. .aleta is based on the latest AES-256 version of the BTCWare Ransomware family which uses a different RSA-1024 key and is not decryptable.
  9. quietman7

    nemesis cry36

    In cases where restoring from back up is not a viable option and there is no free decryption tool, the only other alternative to paying the ransom is to backup/save your encrypted data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution. Law enforcement authorities have had some success arresting cyber-criminals, seizing C2 servers and releasing private RSA decryption keys to the public. In some cases, the cyber-criminals, for whatever reason, choose to release the master keys after a period of time. Several of them have done that here at Bleeping Computer. Imaging the drive backs up everything related to the infection including encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, there is no guarantee it will work properly or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files and related information is a good practice. First steps when dealing with ransomware I’ve been infected with ransomware! What should I do?
  10. quietman7

    Nemucod-AES

    Fabian has published a new version of the NemucodAES decrypter
  11. quietman7

    Nemucod-AES

    How to use the Emsisoft Decrypter for NemucodAES
  12. quietman7

    Infection by [[email protected]] .aleta

    .aleta is based on the latest version AES-256 version of the BTCWare Ransomware family which use a different RSA-1024 key and is not decryptable. If possible, your best option is to restore from backups. Other possible options include using native Windows Previous Versions or programs like Shadow Explorer and ShadowCopyView if the malware did not delete all shadow copy snapshots as it typically does or the encrypted process was interrupted. It never hurts to try in case the malware did not do what it was supposed to do...it is not uncommon for these infections to sometimes fail to delete the Shadow Volume Copies. In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work either...again, it never hurts to try.
  13. quietman7

    Windows 7 becoming obsolete?

    It as been proven time and again that the user is a more substantial factor (weakest link) in security than the architecture of the operating system or installed protection software. End Users Remain Biggest Security Headache as Compromised Endpoints Increase Social Engineering: Attacking the Weakest Link in the Security Chain FBI: Internet Social Networking Risks...Humans are a weak link in cyber security Studies prove once again that users are the weakest link in the security chain Krebs on Security
  14. quietman7

    Hakuna Matata

    Unfortunately, HakunaMatata is based on a secure version of NMoreira Ransomware and is not decryptable at this time. As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups. These types of infections typically will delete all Shadow Volume Copies so that you cannot restore your files via System Restore, native Windows Previous Versions or using a program like Shadow Explorer. But it never hurts to try in case the malware did not do what it was supposed to do...it is not uncommon for ransomware infections to sometimes fail to properly delete Shadow Volume Copies. In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work...again it never hurts to try. If that is not a viable option and there is no decryption fix tool, the only other alternative is to backup/save your data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution so save the encrypted data and wait until that time. Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, there is no guarantee it will work properly or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files and related information is a good practice. First steps when dealing with ransomware I’ve been infected with ransomware! What should I do?