Sarah W

Fabian who works on the decrypters has been ill recently, but we are looking into this. Please be patient. Regards, Sarah

Can you share some files which are not working and the file pair you are using to decrypt them? We will take a look and see if we can help. Regards, Sarah

Hi willaien, We will look into the malware file you provided and update you when we have something. Regards, Sarah

Hello there, Can you check the malwarebytes quarantine for me to see if it is in there? Regards, Sarah

Hello there, If we cannot decrypter your files, then we will need the malware file. Regards, Sarah

Yes, please run it on the actual computer the infection happened on and the original copies (hopefully not moved) I suggest perhaps restricting what IPs can connect to RDP and making sure that the password is changed and not reused anywhere else, as they tend to brute force their way in. Considering it was done by RDP, good chance it may be deleted, but I suggest checking recycling bins and running a scanner/antivirus (can use our programs). Regards, Sarah

Buongiorno, Sfortunatamente crypt0l0cker non è decriptabile gratuitamente. Alcuni utenti hanno avuto fortuna pagando l'assistenza di Dr Web. Qui i termini e le condizioni di Dr. Web (11/25/15): assistenza gratuita nella decriptazione dei file criptati durante l'utilizzo di Dr.Web al momento dell'infezione. Come inviare una richiesta di supporto a Doctor Web. Invia una richiesta Cordialmente, Sarah

Hi there, Have you moved the files from the original location? You can try other file pairs, but if they do not work then we will need the malware file. Regards, Sarah

Hello there, Sorry about the delay in replying to you. What was the name of the ransom note, as this will help us figure out what version of Globe this is? Do you also happen to have the malware file? Regards, Sarah

Hi there, Please download this decrypter and drag and drop the SETUP.HTM and SETUP.HTM.crypt onto it. Let me know if you have any issues, and please specify what the error is. Regards, Sarah

Hi there, Can you please upload this (C:\Documents and Settings\Guest\Application Data\Neazgy\owub.exe) file to virustotal and post the link. It looks like you were infected with two different ransomwares, is this correct? Please download this decrypter and drag and drop the c21.exe and c21.exe.crypt onto it. Let me know if you have any issues. Regards, Sarah

Hello there, Do you still have the Chrome_Font.exe file that your girlfriend ran? It may be that they updated the ransomware. Regards, Sarah

Locky is a ransomware family that first appeared in February last year. Locky uses AES to encrypt files. Encrypted files will have either ".locky", ".zepto", ".odin", ".shit", ".thor", ".aesir", ",zzzzz" or ".osiris" as an extension. The ransom note is named "_HELP_instructions.html", "_-INSTRUCTION.html", "OSIRIS-.html", "_Locky_recover_instructions.txt", "_WHAT_is.html" or "_HELP_instructions.bmp" and asks victims to contact via the tor links. Locky is currently not decryptable. More information can be found here. If you have any questions about this ransomware, you can post here.