Sarah W

Hi Morty, Sorry about the delay, took a little while to add what we needed, but please download the newest version of the decrypter . You will need to go to options and insert Wosar is a pig dancing on the wardrobe. as the salt (needs to be exactly this), and [email protected] as the email. Then click calculate for the ID. After that, you can return to the Decrypter tab and then click decrypt. Regards, Sarah

Hi BenSan, Sorry about the delay, you can run the tool on another system but you would need to have the encrypted files on that system that you wanted to decrypt. We'll think about adding that option where you can save the key. RDP is how these criminals usually enter, so please secure it with a strong password. Regards, Sarah

Hi Theamoebson, BTCWare is unfortunately not decryptable. You can either backup your files and wait for a solution, or pay the criminals (we do not recommend this) currently. RDP is how these criminals usually enter, so please secure it with a strong password. Regards, Sarah

Hi xginx, Looks like the infection is gone now. Regards, Sarah

Hi xginx, How is the system running now? Can you access Avast and task manager? Please re-run FRST, put a check into the box next to Addition.txt and press the scan button. It will produce FRST.txt and Addition.txt logs located on the desktop. Please copy and paste the logs into your next reply. Regards, Sarah

Hi Davepens, You should see this: You need to click on Download This File. Then fill in the captcha. Regards, Sarah

Hi xgent, Unfortunately, Sage ransomware is not decryptable. Your best bet is to wait for a solution that may happen at some point if you don't want to pay (I suggest not, if possible). A good backup procedure is very important and well worth the investment. As a note, Emsisoft Anti-Malware would have prevented your system from being compromised and encrypted in the first place. So if you appreciate our support, why not do yourself and your files a favour and check our product out, and consider buying it. Regards, Sarah

Hi Gusi, Wallet Dharma is unfortunately not decryptable. You can either backup your files and wait for a solution, or pay the criminals (we do not recommend this) currently. RDP is how these criminals usually enter, so please secure it with a strong password. Regards, Sarah

Hi josevm700, Hopefully we have a solution eventually. Regards, Sarah

Hi xginx, Sorry about that. Download from here, and follow the rest of the instructions. Regards, Sarah

Hi Davepens, Try and download it from here, follow the rest of the instructions after. Regards, Sarah

Hi Brenda Chandler, Sorry for the delay, I happened to miss your topic. To use the decrypter you will require an encrypted file of at least 4096 bytes in size as well as its unencrypted version. To start the decrypter select both the encrypted and unencrypted file and drag and drop them onto the decrypter executable. Regards, Sarah

Hi Daniel, I merged your post with the Locky topic. Locky is unfortunately not decryptable. You can either backup your files and wait for a solution, or pay the criminals (we do not recommend this) currently. As a note, Emsisoft Anti-Malware would have prevented your system from being compromised and encrypted in the first place. So if you appreciate our support, why not do yourself and your files a favour and check our product out, and consider buying it. Regards, Sarah

Hi vettalex, You are most welcome. Glad we could help! Usually, Globe comes in via RDP, so if you know that you have that enabled, please change the passwords to something more secure. If you appreciate our decrypter and want to support the work we do, I suggest checking our product out, and consider buying it. Regards, Sarah

Hi Morty, Perfect, that's what we are looking for. Give us a few days and we'll have something for you. Regards, Sarah

Hi vettalex, Please download and use this decrypter. To use the decrypter, you will require a file pair containing both an encrypted file and its non-encrypted original version. Select both the encrypted and unencrypted file and drag and drop both of them onto the decrypter file in your download directory. If file names are encrypted, please use the file size to determine the correct file. Regards, Sarah

Hi Panos and manelv, Al-Namrood 2 is unfortunately not decryptable. You can either backup your files and wait for a solution, or pay the criminals (we do not recommend this) currently. RDP is how these criminals usually enter, so please secure it with a strong password. Regards, Sarah

Hi xginx, We need to run a fix with FRST: Please download the attached fixlist.txt file and save it to the same location as FRST Note: It's important that both files, FRST.exe/FRST64.exe and fixlist.txt are in the same location or the fix will not work NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system fixlist.txt Run FRST.exe/FRST64.exe and press the Fix button just once and wait If for some reason the tool needs a restart, please make sure you let the system restart normally, then let the tool complete its run When finished, FRST will generate a log (Fixlog.txt) in the same location the tool was run, please post it to your reply ================================================================= We need to remove programs using "Programs and Features" Click the "Start" orb on the taskbar, and then click the "Control Panel" button. If you use Category mode, click on Uninstall a Program. If you use Icons mode, click on Program and Features. A list of programs installed will be "populated" (this may take a bit of time). If they exist, uninstall the following by clicking on the below entries and selecting "Remove": Advanced SystemCare 10 Reimage Repair WindowsMangerProtect20.0.0.1064 Additional instructions can be found here if needed. ================================================================= Please download AdwCleaner by Xplode and save to your Desktop. Double click on AdwCleaner.exe to run the tool. Vista/Windows 7/8 users right-click and select Run As Administrator The tool will start to update the database if one is required. Click on the Scan button. AdwCleaner will begin...be patient as the scan may take some time to complete. After the scan has finished, click on the Logfile button. A window will open which lists the logs of your scans. Click on the Scan tab. Double-click the most recent scan which will be at the top of the list....the log will appear. Review the results...see note below After reviewing the log, click on the Clean button. Press OK when asked to close all programs and follow the onscreen prompts. Press OK again to allow AdwCleaner to restart the computer and complete the removal process. After rebooting, a logfile report (AdwCleaner[CX].txt) will open automatically (where the largest value of X represents the most recent report). To open a Cleaning log, launch AdwareClearer, click on the Logfile button, click on the Cleaning tab and double-click the log at the top of the list. Copy and paste the contents of AdwCleaner[CX].txt in your next reply. A copy of all logfiles are saved to C:\AdwCleaner. ================================================================= Reply here and attach the following logs to your post: fixlog.txt AdwCleaner log Regards

Hi josevm700, We did find a sample of this ransomware, but it seems to be secure. You can either pay the criminal (we do not recommend this) or wait for a possible solution. Regards, Sarah

Hi Davepens, Please download removecrypted.bat and run it. It should delete the crypted files. Regards, Sarah removecrypted.bat

Hi Sergio, Al-Namrood 2 is unfortunately not decryptable. You can either backup your files and wait for a solution, or pay the criminals (we do not recommend this) currently. RDP is how these criminals usually enter, so please secure it with a strong password. Regards, Sarah

Hi TCO Jason, Wallet Dharma is unfortunately not decryptable. You can either backup your files and wait for a solution, or pay the criminals (we do not recommend this) currently. RDP is how these criminals usually enter, so please secure it with a strong password. Regards, Sarah

Hi rooterz and xginx, PCLock is unfortunately not decryptable. You can either backup your files and wait for a solution, or pay the criminals (we do not recommend this) currently. xginx, if you think you're infected then please do this for me: Install and Run Emsisoft Emergency Kit (EEK): Double click EmergencyKitScanner.exe to install EEK When the installation of EEK is complete the Emergency Kit scanner will run. NOTE: Make sure to enable PUPs detection. Click "Yes" to Update Emsisoft Emergency Kit Under "Scan" click-on "Malware Scan". IMPORTANT: Do not quarantine or delete anything. We just want the scan log without anything being quarantined or deleted. Save the scan log somewhere that you can find it. Exit Emsisoft Emergency Kit. Run Farbar Recovery Scan Tool (FRST): Double-click to run it. When the tool opens click Yes to disclaimer. Press Scan button. Farbar Recovery Scan Tool will produce the following logs: FRST.txt Addition.txt Reply here and attach the following logs to your post: Emsisoft Emergency Kit log (C:\EEK\Reports\) FRST.txt Addition.txt

Hi Davepens, Did you get any errors? Regards, Sarah

Hi vettalex, Sorry, I just wanted to check what the ransom note was named so I can identify the specific globe variant you were hit with. If you have the globe.exe file then submitting that will help too. Regards, Sarah