Sarah W

Hi Fabio Sajoratto, Another thing to note is that the criminals hack in via RDP which has weak passwords, so if you can disable RDP then please do so otherwise change the passwords to something more secure. Also, please install all critical windows updates. Regards, Sarah

Hi Josh, Can you upload your ransom note (or if it's a message box, upload a screenshot of it) and an encrypted file? Can you also upload the file which 360 total security alerted on, and submit the website link you clicked on to virustotal (change to url and paste the website address in there) and then paste a results URL. Regards, Sarah

Hi len4bfs, Unfortunately, crypt0l0cker is not decryptable for free. Some users have had luck with paying Dr Web to assist them with file decryption. Here is the updated policy from Dr.Web (11/25/15): Free file decryption assistance only for PCs protected by Dr.Web at the moment of infection. How to submit a request to Doctor Web's support service Submit a request Let us know if you have any success. A good backup procedure is very important and well worth the investment, especially make sure not to keep the backup attached to the system unless you are backing up (it is best to have two different backups). As a note, Emsisoft Anti-Malware would have prevented your system from being compromised and encrypted in the first place. So if you appreciate our support, why not do yourself and your files a favour and check our product out, and consider buying it. Regards, Sarah

Hi Howard, When you say it stops responding and closes, are you trying to interact with it before that? What stage is it at when it closes (a screenshot would be useful)? Regards, Sarah

Hi Howard, Can you attach 01.07.2017_09.52.33.zip to your next reply? Are you able to run the Amnesia2 decrypter now? Regards, Sarah

Hi Howard, Sorry, I forgot users could not download from this forum. Click Start. Choose All Programs -> Accessories -> Notepad. Notepad opens. Copy the context below and paste into Notepad: Zip: C:\WINDOWS\WinDebug_32.exe 2017-06-23 06:34 - 2017-06-23 06:34 - 00023915 ____N C:\WINDOWS\WinDebug_32.exe IFEO\Magnify.exe: [Debugger] cmd.exe IFEO\sethc.exe: [Debugger] cmd.exe Choose File -> Save from the menu bar (Ctrl + S). The Save As dialog box appears. Save your file to the downloads folder. Name your document as fixlist. In the Save as type drop-down box, be sure your document is saved as a text document. Click Save. Then continue with the FRST instructions above. Regards, Sarah

Hi Howard, First of all, please download this security patch as currently your system is vulnerable to pretty much anyone accessing it. You still need to reboot after doing so. If possible, I would disconnect from the internet whilst doing so. Once done continue with the steps below: We need to run a fix with FRST: Please download the attached fixlist.txt file and save it to the same location as FRST Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system fixlist.txt Run FRST.exe/FRST64.exe and press the Fix button just once and wait If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply You will also need to attach a zipped file with the format Date_Time.zip which FRST created on the desktop to your next reply. Regards, Sarah

Hi JT, Please share some encrypted files, the ransom note (if there is one) and the malware file, if you have it. Regards, Sarah

Hi COnsu1, Currently, Shade ransomware is not decryptable. You can either backup your files and wait for a solution, or pay the criminals (we do not recommend this) currently. A good backup procedure is very important and well worth the investment, especially make sure not to keep the backup attached to the system unless you are backing up (it is best to have two different backups). As a note, Emsisoft Anti-Malware would have prevented your system from being compromised and encrypted in the first place. So if you appreciate our support, why not do yourself and your files a favour and check our product out, and consider buying it. We currently have an offer on with free backup software. Regards, Sarah

Hi rajipillai, We released a new decrypter for the updated version here. Regards, Sarah

Hi LeonardCaldwell, You're dealing with Cry36, you can see more of the discussion about it here. I suggest making sure RDP is secure and no weak passwords are being used, and also making sure all critical windows updates are installed. Regards, Sarah W

We just released a new decrypter for this variant, you can find it here. Please make sure to secure RDP, install all Windows updates and make backups of files (disconnected from the system, hopefully). If you appreciate the work we do and need a security solution that can protect against ransomware; we have our own security software Emsisoft Anti-Malware. Regards, Sarah W

Hi Monkish, Unfortunately, a file pair cannot provide the information we need to look into whether we can help. We will see what we can do though, however, I am not sure if we can help currently. Regards, Sarah

Hi RodneyHamp, Sorry we couldn't provide better news, hopefully, one day this will be decryptable. Regards, Sarah

Hi junaid12, Glad we could help A good backup procedure is very important and well worth the investment, especially make sure not to keep the backup attached to the system unless you are backing up (it is best to have two different backups). As a note, Emsisoft Anti-Malware would have prevented your system from being compromised and encrypted in the first place. So if you appreciate our support, why not do yourself and your files a favour and check our product out, and consider buying it. Regards, Sarah

Hi all, We got a sample of a new version of Amnesia, we are currently looking into it. Please be patient. Regards, Sarah

Hi, If you haven't seen, Kaspersky and Avast have released decrypters for the .wallet variant of Dharma, since the keys were released this week. https://www.bleepingcomputer.com/news/security/wallet-ransomware-master-keys-released-on-bleepingcomputer-avast-releases-free-decryptor/ Regards, Sarah

Hi, If you haven't seen, Kaspersky and Avast have released decrypters for the .wallet variant of Dharma, since the keys were released this week. https://www.bleepingcomputer.com/news/security/wallet-ransomware-master-keys-released-on-bleepingcomputer-avast-releases-free-decryptor/ Regards, Sarah

Hi, If you haven't seen, Kaspersky and Avast have released decrypters for the .wallet variant of Dharma, since the keys were released this week. https://www.bleepingcomputer.com/news/security/wallet-ransomware-master-keys-released-on-bleepingcomputer-avast-releases-free-decryptor/ Regards, Sarah

Hi, If you haven't seen, Kaspersky and Avast have released decrypters for the .wallet variant of Dharma, since the keys were released this week. https://www.bleepingcomputer.com/news/security/wallet-ransomware-master-keys-released-on-bleepingcomputer-avast-releases-free-decryptor/ Regards, Sarah

Hi RodneyHamp, Unfortunately, you are dealing with GlobeImpostor 2 and it's not decryptable. You will want to check whether RDP is secured with a strong password as well as check whether you have all critical updates installed. Regards, Sarah

Hi demouil2510, We're still looking into this one. Hopefully we will have something. Regards, Sarah

Hi Rajeeth, Please share an encrypted file and the ransom note. Regards, Sarah

Hi gsalvador69, Currently, Jaff ransomware is not decryptable. You can either backup your files and wait for a solution, or pay the criminals (we do not recommend this) currently. A good backup procedure is very important and well worth the investment, especially make sure not to keep the backup attached to the system unless you are backing up (it is best to have two different backups). As a note, Emsisoft Anti-Malware would have prevented your system from being compromised and encrypted in the first place. So if you appreciate our support, why not do yourself and your files a favour and check our product out, and consider buying it. Regards, Sarah

Hi Monkish, Currently Al Namrood is not decryptable, however, if you still have the malware file somewhere then we will be willing to take a look at it. Regards, Sarah