Visiting Expert
  • Content Count

  • Joined

  • Last visited

  • Days Won


Amigo-A last won the day on September 20

Amigo-A had the most liked content!

Community Reputation

132 Excellent

About Amigo-A

  • Rank
    Ransomware Expert
  • Birthday August 1

Contact Methods

  • Website URL

Profile Information

  • Gender
  • Location
    3st station from Sun
  • Interests
    Collection, catalogization and publication of information about Ransomware. Cooperating support of 'ID Ransomware' (in English and Russian). I work without off-time days and holidays. Пишите мне на русском, если знаете этот язык.

Recent Profile Visitors

4013 profile views
  1. Hello This result with your files - To achieve the right result need upload a ransom note and a encrypted file. IMG_0462a.jpg.crypt + how_to_recover_files.html = GlobeImposter 2.0 Ransomware The email-address can be used in various ransomware. Actors move from one project to another. But ID is very specific for GlobeImposter and is determined mostly without problems.
  2. Most double and multiple encryptions can't be decrypted because at one stage the file will be unrecoverable. I recently identified this case as 'double encryption': LockBit + Dharma Ransomware. Both are impossible to decipher without paying the ransom. The same 'Telegram contact' is used in double attacks from about August 2020, or it started earlier. Later I recieve and analyzed the sample and found out that this is not Dharma per se. Someone bought the source code of Dharma's predecessor, which was called Crysis, and redid the encryption out of him. To make it look like Dharma's elements. If Emsisoft examines this encryption in more detail, they will tell you the result — can this be decrypted. This requires a deeper research than a superficial view.
  3. With this 'Help', you can determine the type of ID from the note. If something is not clear, ask here.
  4. Hello @Rohit Tiwari This is the result of a 'STOP Ransomware' attack. You downloaded and launched something without reliable protection of your computer and network. They have been attacking PCs all over the world for several years now. Only in some cases can files be decrypted without paying the ransom. Read the help on this case.
  5. Please read this help. There are details about this. If you are confused by a lot of text, read only what I have highlighted for you. Ofline ID + t1
  6. If you attach a file _readme.txt to the message, we will tell you if decryption is possible.
  7. Hello / Salam @Mostafa issa You need to read this Help. It says when you can decrypt the files. The .vari extension is used by a well-known 'STOP Ransomware' that comes in many variants. Only sometimes can files be decrypted.
  8. Emsisoft Decryptor for JSWorm 4.0 As I said above, you need wait the decryption Emsisoft specialist to check your files for decryption. The Emsisoft Decryptor was made for version 4.0.2, and you have 4.0.3. It doesn't look like a new version, most likely you have an old version as well. This needs adjustment. In different versions, the encryption changes, if at first it was possible to decrypt the files, then after small changes, decryption may not be possible. But do not despair, you need to be patient. Decrypting without the original encryption key is a laborious process. Wait for a response from an Emsisoft representative, he will coordinate the information with the file decryption specialist who created the decryptor.
  9. Hello @hoppacuppa GT500 has already answered you. I also replied to your personal message.
  10. Decryption specialists will look at your files. A decryptor has already been made, but it does not decrypt 'JSWORM 4.0' files. Perhaps it will be possible in the future.
  11. You need attach a file JBUIIGF-DECRYPT.hta Note! The file must be archived with a password 123
  12. We have not seen any other cases after March this year.
  13. It was "Major Ransomware"
  14. Hello @radansya When did the encryption happen? Now or last year?