Demonslay335

Possibly in the future, just give us some time. 😉

To second @GT500, have you heard of a little something called CVE-2019-0708? It's literally an exploit that doesn't require even logging in, completely bypassing MFA... it's not the first such exploit recently, nor will it likely be the last. Good that you have MFA, but seriously put it behind VPN.

It's STOP Djvu Ransomware, please read the FAQ here: https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-tro-djvu-rumba-openmetxt-support-topic/ In addition, we still need the malware executable for this extension. Please check Task Scheduler for a suspicious task running every 5 minutes, and disable it. Go to Properties, and find the executable it is pointing to, upload it to VirusTotal, and post a link here.

Please follow the instructions in the link ID Ransomware gave you to provide the information needed to archive your case. In addition, we still need the malware executable itself. Check your Task Scheduler for a suspicious task running every 5 minutes or so - go to Properties and find the executable it points to, and upload it to VirusTotal, then provide us the link.

This is STOP Djvu Ransomware, and we need a sample of the malware. Can you check Task Scheduler for a suspicious task running very often (like every 5 minutes)? If you find it, please disable it, then go to Properties for it, Actions tab, and select the "Start a program" - click Edit, and note the location the executable is. Find that executable and upload it to VirusTotal, then send me a link to it. If you need further help with this, I will have a support team member reach out to you for more guided assistance. I do need that malware sample ASAP. In addition to securing the malware executable, please follow the directions in this article to provide me the Personal ID and MAC addresses of the infected machine. https://kb.gt500.org/stopdecrypter

The only requirement to run the decrypter is to have .NET Framework 4.5.2 or newer installed - this is a very old version that came out when Vista was still supported, so if you don't have it, then your system is likely severely outdated on security updates.

@Blue22 I already answered you in this topic:

Did you submit it to ID Ransomware? It would have identified it as Dharma already, which is not decryptable without paying the criminals. They typically hack RDP, which should never be exposed to the internet without a VPN.

Thanks @Amigo-A, seems another one I missed updates on. I've added the extensions to ID Ransomware now.

@Issam You already sent this info to me in PM and I archived it.

@PaulV I'm afraid the decrypter is correct, we don't seem to have your key at this time. Keep a look out in the news for if we update the decrypter.

@manojsaha Check your PM.

Please follow the instructions in the BleepingComputer support topic to give me all of the MAC addresses of the infected PC.

I will continue this in PM.

Just give me the ID in the ransom note... It's all in the FAQ. The MAC addresses you gave me are fine.

I still need the ID from your ransom note.

Read the FAQ... The MAC address has nothing to do with Macintosh. Time is crucial here, follow the instructions quickly.

I actually really still need the malware, if you can provide that please.

@q8asami Do as the instructions in the link I just posted say... quickly.

@nneo Keys are unique per victim, and only some are lucky for me to be able to recover a key in very rare cases. Everything is explained in the first post and FAQ of the support topic: https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-tro-djvu-rumba-openmetxt-support-topic/ If you were hit by extension .kiratos, I need this information ASAP. If any other extension, I just need it to archive.

Follow the instructions in the first post of the support topic and the FAQ, and provide the personal ID and MAC addresses of the infected machine ASAP. https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-tro-djvu-rumba-openmetxt-support-topic/

Follow the instructions in the first post of this support topic and FAQ and provide the personal ID and MAC addresses of the infected machine ASAP. https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-tro-djvu-rumba-openmetxt-support-topic/

You are dealing with two different ransomware. ID Ransomware picked up on the "second layer" of STOP Djvu with the .adobe extension. No way to determine what the first ransomware was without the malware or ransom note from it. Support topic for STOP Djvu: https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-tro-djvu-rumba-openmetxt-support-topic/

Likely STOP Djvu, which is not currently decryptable unless you were encrypted by an offline key (in which case ID Ransomware or the STOPDecrypter will tell you so). Please see the first page instructions and FAQ regarding this ransomware on BleepingComputer. https://www.bleepingcomputer.com/forums/t/671473/stop-ransomware-tro-djvu-rumba-openmetxt-support-topic/

It's Matrix, afraid it is not decryptable. https://www.bleepingcomputer.com/news/security/matrix-ransomware-spreads-to-other-pcs-using-malicious-shortcuts/