Visiting Expert
  • Content Count

  • Joined

  • Last visited

  • Days Won


Amigo-A last won the day on August 3

Amigo-A had the most liked content!

Community Reputation

124 Excellent

About Amigo-A

  • Rank
    Ransomware Expert
  • Birthday August 1

Contact Methods

  • Website URL

Profile Information

  • Gender
  • Location
    3st station from Sun
  • Interests
    Collection, catalogization and publication of information about Ransomware. Cooperating support of 'ID Ransomware' (in English and Russian). I work without off-time days and holidays. Пишите мне на русском, если знаете этот язык.

Recent Profile Visitors

3842 profile views
  1. Hello, @hartok It looks like "offline ID" if you haven't changed anything in it. You probably need to read a little "Help" on this.
  2. Attach several encrypted files and a ransom note to your message. Do not change or edit anything in these files.
  3. Yes, files with .pykw extension cannot be decrypted using the pair 'encrypted file + original file' option. This option is only for older versions when different encryption was used. The decryption key for .pykw extension has not yet been loaded into the decryptor, so it cannot decrypt files yet. This will be done after someone pays the ransom and voluntarily shares the decryption key with the decryption service Emsisoft.
  4. Hello @Axel I just checked. No, as long as this variant cannot be decrypted. Nobody provided the key. You have already checked your PC for this and other malware? There may be a infostealer left there.
  5. This is the result of a 'STOP Ransomware' attack. New variant. Read this guide.
  6. The encrypted files of that time can be decrypt in some cases. You need to read this manual to use the decryption service and teach him to decrypt your files.
  7. This is the result of a 'STOP Ransomware' attack The first case with the .bopador extension occurred on July 24, 2019.
  8. Zdravo Slobodan I recommend leaving for the future. Sometimes malware and ransomware distributors shut down their projects and release keys so they can be applied. There is only a 1-2 out of 100 chance that this will happen, but it is not 0.
  9. Attach to message a file _readme.txt
  10. Attach several encrypted files and a ransom note to message.
  11. Yes, this is the result of Phobos Ransomware attack. The variant with this address has been known since March 2020. Until now, none of the decryption specialists and anti-virus labs have reported that they are close to decryption. Therefore, if someone on the Internet offers you a decryption, then it will certainly be another scammer. First let us know and we will check their "super-capabilities".
  12. No. In this case, it is wrong to talk about percentages. Most likely, they could steal some data before they started encryption. In extortion, encryption can be the second or even third element of an attack. For example, the model may be as follows: first, the Trojan downloader is introduced, then surveillance is carried out, desktop screenshots are taken and a list of frequently opened files and folders of visited sites is compiled. The obtained preliminary information is easily sent to the attacker server, processed, then a command is issued to additionally download the “interesting” parts. After downloading information to the attackers, with which they can blackmail and confirm the ability to decrypt files, a command is issued to encrypt the files. This may be of one or more days in the case of STOP Ransomware. Above, I gave you a link to the analysis in which Ursnif takes top place. You can search by this name or use the links to articles that appear in this link if you click on the name 'Ursnif Malware'. It has been used to steal data for about 7 years or more. If the extortionists, who uses STOP Ransomware for encryption has adopted this tool, it means that it’s not just like that. Rest assured that they will try to get the maximum benefit out of affected PC if their malware is not destroyed.
  13. Two-factor authentication also has its own vulnerabilities. SMS is an unreliable security element. If no one tried and logged into your account before you safely changed your passwords, then this time you probably have secured the data in the disk.
  14. While GT500 is resting, I will try to answer your questions. Then you can compare answers. Most likely because the size is very small, and the files on the Desktop are a 'tasty' for any extortionist. To grabbing information from browsers and programs (including such well-known as 'Last Pass'), STOP Ransomware uses a whole set of tools for data theft. Ursnif is one of many the tools. They can change this in different versions of the 'STOP Ransomware'. If your PC has become a de facto toy in the hands of extortionists and information thieves, then you need to use a secure (non-compromised) device to change passwords. This in ideal. If you do not have another device and the password store is not synchronized with other devices (smartphone, tablet, etc.), then it is necessary to check the affected PC as maximally as possible for the presence of active and dormant security threats.