Sarah W
-
Posts
226 -
Joined
-
Last visited
-
Days Won
10
Posts posted by Sarah W
-
-
Hi Josh,
Can you upload your ransom note (or if it's a message box, upload a screenshot of it) and an encrypted file? Can you also upload the file which 360 total security alerted on, and submit the website link you clicked on to virustotal (change to url and paste the website address in there) and then paste a results URL.
Regards,
Sarah
-
Hi len4bfs,
Unfortunately, crypt0l0cker is not decryptable for free. Some users have had luck with paying Dr Web to assist them with file decryption. Here is the updated policy from Dr.Web (11/25/15): Free file decryption assistance only for PCs protected by Dr.Web at the moment of infection.
Quote... free decryption services are only available for owners of active Dr.Web commercial licenses, the only amendment now being that the license must have been purchased before, not after the infection has been caused by encryption ransomware. If you're not a licensed user for a Dr.Web product you will have to pay for their services.
Let us know if you have any success.
A good backup procedure is very important and well worth the investment, especially make sure not to keep the backup attached to the system unless you are backing up (it is best to have two different backups). As a note, Emsisoft Anti-Malware would have prevented your system from being compromised and encrypted in the first place. So if you appreciate our support, why not do yourself and your files a favour and check our product out, and consider buying it.
Regards,
Sarah
-
Hi Howard,
When you say it stops responding and closes, are you trying to interact with it before that? What stage is it at when it closes (a screenshot would be useful)?
Regards,
Sarah
-
Hi Howard,
Can you attach 01.07.2017_09.52.33.zip to your next reply?
Are you able to run the Amnesia2 decrypter now?
Regards,
Sarah
-
Hi Howard,
Sorry, I forgot users could not download from this forum.
- Click Start.
- Choose All Programs -> Accessories -> Notepad.
- Notepad opens.
- Copy the context below and paste into Notepad:
Zip: C:\WINDOWS\WinDebug_32.exe 2017-06-23 06:34 - 2017-06-23 06:34 - 00023915 ____N C:\WINDOWS\WinDebug_32.exe IFEO\Magnify.exe: [Debugger] cmd.exe IFEO\sethc.exe: [Debugger] cmd.exe- Choose File -> Save from the menu bar (Ctrl + S).
- The Save As dialog box appears.
- Save your file to the downloads folder.
- Name your document as fixlist.
- In the Save as type drop-down box, be sure your document is saved as a text document.
- Click Save.
- Then continue with the FRST instructions above.
Regards,
Sarah
-
Hi Howard,
First of all, please download this security patch as currently your system is vulnerable to pretty much anyone accessing it. You still need to reboot after doing so. If possible, I would disconnect from the internet whilst doing so. Once done continue with the steps below:
We need to run a fix with FRST:
-
Please download the attached fixlist.txt file and save it to the same location as FRST
Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system - fixlist.txt
- Run FRST.exe/FRST64.exe and press the Fix button just once and wait
- If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run
- When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply
You will also need to attach a zipped file with the format Date_Time.zip which FRST created on the desktop to your next reply.
Regards,
Sarah
-
Please download the attached fixlist.txt file and save it to the same location as FRST
-
Hi JT,
Please share some encrypted files, the ransom note (if there is one) and the malware file, if you have it.
Regards,
Sarah
-
Hi COnsu1,
Currently, Shade ransomware is not decryptable. You can either backup your files and wait for a solution, or pay the criminals (we do not recommend this) currently.
A good backup procedure is very important and well worth the investment, especially make sure not to keep the backup attached to the system unless you are backing up (it is best to have two different backups). As a note, Emsisoft Anti-Malware would have prevented your system from being compromised and encrypted in the first place. So if you appreciate our support, why not do yourself and your files a favour and check our product out, and consider buying it. We currently have an offer on with free backup software.
Regards,
Sarah
-
-
Hi LeonardCaldwell,
You're dealing with Cry36, you can see more of the discussion about it here.
I suggest making sure RDP is secure and no weak passwords are being used, and also making sure all critical windows updates are installed.
Regards,
Sarah W
-
1
-
-
We just released a new decrypter for this variant, you can find it here.
Please make sure to secure RDP, install all Windows updates and make backups of files (disconnected from the system, hopefully).
If you appreciate the work we do and need a security solution that can protect against ransomware; we have our own security software Emsisoft Anti-Malware.
Regards,
Sarah W
-
Hi Monkish,
Unfortunately, a file pair cannot provide the information we need to look into whether we can help. We will see what we can do though, however, I am not sure if we can help currently.
Regards,
Sarah
-
Hi RodneyHamp,
Sorry we couldn't provide better news, hopefully, one day this will be decryptable.
Regards,
Sarah
-
Hi junaid12,
Glad we could help
A good backup procedure is very important and well worth the investment, especially make sure not to keep the backup attached to the system unless you are backing up (it is best to have two different backups). As a note, Emsisoft Anti-Malware would have prevented your system from being compromised and encrypted in the first place. So if you appreciate our support, why not do yourself and your files a favour and check our product out, and consider buying it.
Regards,
Sarah
-
Hi all,
We got a sample of a new version of Amnesia, we are currently looking into it. Please be patient.
Regards,
Sarah
-
Hi,
If you haven't seen, Kaspersky and Avast have released decrypters for the .wallet variant of Dharma, since the keys were released this week.
Regards,
Sarah
-
Hi,
If you haven't seen, Kaspersky and Avast have released decrypters for the .wallet variant of Dharma, since the keys were released this week.
Regards,
Sarah
-
Hi,
If you haven't seen, Kaspersky and Avast have released decrypters for the .wallet variant of Dharma, since the keys were released this week.
Regards,
Sarah
-
Hi,
If you haven't seen, Kaspersky and Avast have released decrypters for the .wallet variant of Dharma, since the keys were released this week.
Regards,
Sarah
-
Hi RodneyHamp,
Unfortunately, you are dealing with GlobeImpostor 2 and it's not decryptable. You will want to check whether RDP is secured with a strong password as well as check whether you have all critical updates installed.
Regards,
Sarah
-
Hi demouil2510,
We're still looking into this one. Hopefully we will have something.
Regards,
Sarah
-
Hi Rajeeth,
Please share an encrypted file and the ransom note.
Regards,
Sarah
-
Hi gsalvador69,
Currently, Jaff ransomware is not decryptable. You can either backup your files and wait for a solution, or pay the criminals (we do not recommend this) currently.
A good backup procedure is very important and well worth the investment, especially make sure not to keep the backup attached to the system unless you are backing up (it is best to have two different backups). As a note, Emsisoft Anti-Malware would have prevented your system from being compromised and encrypted in the first place. So if you appreciate our support, why not do yourself and your files a favour and check our product out, and consider buying it.
Regards,
Sarah
-
Hi Monkish,
Currently Al Namrood is not decryptable, however, if you still have the malware file somewhere then we will be willing to take a look at it.
Regards,
Sarah
Infection by [[email protected]] .aleta
in Help, my files are encrypted!
Posted
Hi Fabio Sajoratto,
Another thing to note is that the criminals hack in via RDP which has weak passwords, so if you can disable RDP then please do so otherwise change the passwords to something more secure. Also, please install all critical windows updates.
Regards,
Sarah