quietman7

Visiting Expert
  • Content Count

    59
  • Joined

  • Last visited

Community Reputation

1 Neutral

1 Follower

About quietman7

  • Rank
    Active Member

Profile Information

  • Gender
    Not Telling
  • Location
    Virginia

Recent Profile Visitors

3250 profile views
  1. Ransomware victims should always ensure they are using the correct decryptor tool before attempting to decrypt their files. Using an incorrect or faulty decryptor may damage or further corrupt the encrypted files, thus decreasing your chances for recovering data.
  2. More information is needed to determine specifically (confirm) what infection you are dealing with since there are so many different types of crypto malware (file encrypting ransomware). Whether you can recover (decrypt) your files or not depends on what ransomware infection you are dealing with, the type and strength of encryption used by the malware writers and a variety of other factors as explained here. Did you find any ransom notes and if so, what is the actual name of the ransom note? Can you provide (copy & paste) the ransom note contents? Did the cyber-criminals provide an email address to send payment to? If so, what is the email address? Did you submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) or Emsisoft Identify your ransomware for assistance with identification and confirmation of the infection? Uploading both encrypted files and ransom notes together along with any contact email addresses or hyperlinks provided by the criminals gives a more positive match with identification and helps to avoid false detections. Please provide a link to the ID Ransomware results.
  3. The .Adame extension has been used by both Phobos and a Scarab variant. Files encrypted by Phobos will have an <ID>-<id> with 8 random hexadecimal characters>.[<email>] followed by the .Adame extension as explained here by Amigo-A (Andrew Ivanov). <filename>.<extension>.id[F6593DDC-2275].[[email protected]].Adame <filename>.<extension>.id[70C80B9F-1127].[[email protected]].Adame <filename>.<extension>.id[AE9AE1C0-2275].[[email protected]].Adame If it does not have the <ID>-<id> with 8 random hexadecimal characters>.[<email>] pattern followed by the .Adame extension, then it is a Scarab variant. Based on infection rates, you are most likely infected with Phobos which leaves files (ransom notes) named Phobos.hta, Encrypted.txt, Data.hta, info.hta and info.txt.
  4. You need to post the required information (i.e. Personal ID, Extension of files & MAC (physical) Address of the infected computer) here for Demonslay335 (Michael Gillespie) to archive your information.
  5. Any files encrypted with the .kiratos extension are related to a newer variant of STOP (DJVU) Ransomware. Please read the first page here for a summary of this ransomware, it's variants and possible decryption solutions with instructions AND the ***IMPORTANT: @ ALL VICTIMS.... note at the top. "Before asking questions...PLEASE READ these Frequently Asked Questions (FAQs)." You need to post the required information (i.e. Personal ID, Extension of files & MAC (physical) Address of the infected computer) in the above topic if STOPDecrypter is unable to decrypt your files so the developer, Demonslay335 (Michael Gillespie), can archive your information in case a future solution becomes available.
  6. Any files encrypted with the .kiratos extension are related to a newer variant of STOP (DJVU) Ransomware. Please read the first page here for a summary of this ransomware, it's variants and possible decryption solutions with instructions AND the ***IMPORTANT: @ ALL VICTIMS.... note at the top. "Before asking questions...PLEASE READ these Frequently Asked Questions (FAQs)." You need to post the required information (i.e. Personal ID, Extension of files & MAC (physical) Address of the infected computer) in the above topic if STOPDecrypter is unable to decrypt your files so the developer, Demonslay335 (Michael Gillespie), can archive your information in case a future solution becomes available.
  7. Any files encrypted with the .hrosas extension are related to a newer variant of STOP (DJVU) Ransomware. Please read the first page here for a summary of this ransomware, it's variants and possible decryption solutions with instructions AND the ***IMPORTANT: @ ALL VICTIMS.... note at the top. "Before asking questions...PLEASE READ these Frequently Asked Questions (FAQs)." You need to post the required information (i.e. Personal ID, Extension of files & MAC (physical) Address of the infected computer) in the above topic if STOPDecrypter is unable to decrypt your files so the developer, Demonslay335 (Michael Gillespie), can archive your information in case a future solution becomes available.
  8. ID Ransomware will provide different results according to what is submitted. Submitting an encrypted file with a common extension used by other ransomware usually results in a false positive. That is why as I noted above, it is important to submit both encrypted files and ransom notes together as well as any contact email addresses or hyperlinks provided by the criminals. The more information, the more accurate the results.
  9. As IDR indicates...currently there is not enough information about MegaLocker. I am not aware of any method to decrypt files encrypted by this ransomware without paying the ransom and obtaining the private keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. For now you can opt-in with IDR to be emailed if any further developments are made for this particular ransomware by clicking the link under Please check back later. In cases where there is no free decryption tool, restoring from back up is not a viable option and file recovery software does not work, the only other alternative to paying the ransom (if you can even reach the criminals to pay) is to backup/save your encrypted data as is and wait for a possible solution...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution.
  10. The link to your IDR results indicates you only submitted a sample of an encrypted file with the .crypted extension which is very generic and used by several different ransomwares to include Yoshikada Decryptor (GlobeImposter variant), Nemucod, and MegaLocker. Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections. Submitting any contact email addresses or hyperlinks provided by the criminals may also be helpful with identification.
  11. ID Ransomware should recognize .ITLOCK as a Matrix Ransomware variant which is not decryptable without paying the ransom and obtaining the private keys from the criminals who created the ransomware.
  12. If you need individual assistance only with removing the malware infection, there are advanced tools which can be used to investigate and clean your system. Please follow the instructions here for assistance by Emsisoft Experts. Of course you can always choose to do a reinstall of Windows (clean install) instead but it never hurts to try a clean-up first with trustworthy security scanning tools if that is something you want to consider. The process of reinstalling Windows (clean install) will erase all the data on your computer to include your files, any programs you installed and the settings you on your computer. It essentially will return the computer to the same state it was when you first purchsed and set it up. Before attempting a reinstall or factory restore (reset) of Windows it is recommended to create a copy or image of the entire hard drive. Doing that allows you to save the complete state of your system (and all encrypted data) including encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed in the event that a free decryption solution is developed in the future. Imaging the drive backs up everything related to the infection including encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed if a decryption solution is ever discovered. Alternatively, you can remove the hard drive, store it away and replace it with a new hard drive and a fresh install of Windows. First steps when dealing with ransomware I’ve been infected with ransomware! What should I do? What to Do If You're Infected by Ransomware
  13. The extension looks random. There are several different ransomware infections which append a random 4, 5, 6, 7, 8, etc character extension to the end of all affected filenames to include CTB-Locker, Crypt0L0cker, Magniber, GandCrab V5+, CryptON (Cry9, Cry36, Cry128, Nemesis), Skull, MrDec (Mr.Dec), SynAck, Maktub Locker, Alma Locker, Princess Locker, Princess Evolution, Locked-In, Mischa, Goldeneye, Al-Namrood 2.0, Cerber v4x/v5x and some Xorist variants. The best way to identify the different ransomwares that use "random character extensions" is the ransom note (including it's actual name and contents), samples of the encrypted files, possible filemarkers, the malware file itself responsible for the infection and information related to any email addresses or hyperlinks provided by the cyber-criminals to request payment. You can submit (upload) samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware (IDR) for assistance with identification and confirmation of the infection. ID Ransomware can identify ransomwares with random extension and more accurately identifies ransomwares by filemarkers if applicable. Based on infection rates we see, you are most likely infected with a variant of GandCrab V5. GandCrab V5 (V5.0.1) will have a random 5 character extension (i.e. .fbkdp .ibagx .qikka) appended to the end of the encrypted data filename and leave files (ransom notes) named [random extension]-DECRYPT.html (i.e. qikka-DECRYPT.html, eiuhtxjzs-DECRYPT.html). GandCrab V5.0.2 and GandCrab V5.0.3 will have a random 5-9 character extension (i.e. .fnxfavh, .eiuhtxjzs, .ilrkdszxe) appended to the end of the encrypted data filename and leave files (ransom notes) named [random extension]-DECRYPT.html (i.e. fnxfavh-DECRYPT.html, eiuhtxjzs-DECRYPT.html). GandCrab V5.0.4+ will have a random 5-10 upper-case character extension (i.e. .XMMFA, .LUKIZQW, .TKKLKM, .PFBRBHHEVM) appended to the end of the encrypted data filename and leave files (ransom notes) named [random upper-cased extension]-DECRYPT.txt (i.e. LUKIZQW-DECRYPT.txt, TKKLKM-DECRYPT.txt). GandCrab V5.1+ will have a random 5-10 upper-case character extension appended to the end of the encrypted data filename. GandCrab V5.2, like its predecessors, will also have a random 5-10 character extension appended to the end of the encrypted data filename. If confirmed, Bitdefender released a free decrypter for GandCrab V1, V4 and up through V5.1+ recognizable by their extensions....GDCB, .KRAB and random 5-10 characters (i.e. .fbkdp .ibagx .qikka, .eiuhtxjzs9, .LUKIZQW, .TKKLKM, .PFBRBHHEVM) respectively. BDGandCrabDecryptTool Requirements, download and How to use the Tool Decryption Tools: GandCrab (V1, V4 and V5 up to V5.1 versions) alternate download How to use the Bitdefender GandCrab Decryption Tool Manual Files encrypted by GandCrab V5.2 are not decryptable without paying the ransom and obtaining the private keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities like previous versions. The criminals released V5.2 after Bitdefender updated it's decrypter for V5.1 so it will not work on this latest version. Bitdefender confirmed that there is no decryption tool for GandCrab V5.2. GandCrab Decrypter Available for v5.1, New 5.2 Variant Already Out
  14. STOPDecrypter was updated to include support for the .kroput variant if you were hit by the OFFLINE KEY - "upOacGl1yOz9XbrhjX9UR2M0j8i03YwVB0pXr1t1" as explained in here. Please read the instructions here (including what to do if the decrypter does not work). Demonslay335 (Michael Gillespie) is the creator of STOPDecrypter. He is a trusted Security Colleague (Expert) here at Emsisoft, a ransomware researcher/analyst with the MalwareHunterTeam, the creator of ID Ransomware (IDR).
  15. The .promorad2 extension is a newer variant of STOP (DJVU) Ransomware and ID Ransomware should confirm the infection. STOPDecrypter has been updated to include support for the .promorad2 variant if you were hit by the OFFLINE KEY - "0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDosJ24DmXt1" as explained in here.