Amigo-A

Visiting Expert
  • Content Count

    1366
  • Joined

  • Last visited

  • Days Won

    31

Everything posted by Amigo-A

  1. The 'STOP Ransomware' variant with the .lisp extension has a version number of 267.
  2. WannaScream with extension .NORD relation to WannaCryFake Ransomware Only a few variants can be decrypted with a decryptor. https://www.emsisoft.com/ransomware-decryption-tools/wannacryfake A support representative will advise you if it is possible to decrypt the files of this newer version.
  3. @GT500 Hello. This refers to the other that we call Alco Ransomware or Maoloa-Alco Ransomware There is not a single decrypted variant.
  4. Press and hold the key 'Shift' before rebooting your PC with a standard PC shutdown. After that, you will see a blue screen with recovery methods as in an article from the link https://techsherlock.com/how-to-boot-windows-10-into-last-known-good-configuration/ Next, select Troubleshoot - Advanced options - System Restore with the keeping of all your files, if you need them.
  5. Hello @Omar2020 Attach a file _readme.txt to message
  6. This is Scarab Ransomware Previously, with Dr.Web help was possible to decrypt many variants, but after 2018 it seems impossible. You can make a request for decryption yourself. Decryption attempts are free. https://legal.drweb.com/encoder/?lng=en
  7. Ravack Ransomware (with .ravack extension) is the variant of Hakbit Ransomware, known since March 2020. In fact, a renamed copy of the variant with the extension .abarcy, known since January 2020. Samples from March 2020: 7f3f8582de407318c0bfdae79e5a925005a58b84e52a1a153d9937c4b2b1d2f7 b0cbe3c24b1e610a9c4c8308f1996b128a4686e6a80edd1b3f22900b4dd95aee a26b6f677edd8a0072c0c8f840a0f5d7e52c38341e346abff1163126b7af03f3
  8. Yes, it must be a file README.html Extension sample of encrypted file .987654321972527968.immunityyoung @ aol.com.young
  9. Hello. This indicates that the Emsisoft Decryptor does not yet support the version with .kolz extension. The developers have not yet received the key to decrypt files of this version. You must protect your PC as much as possible while waiting. Otherwise, re-encryption can happen with a different and online key. You can take advantage of Emsisoft Anti-Malware Home's 30-day free protection.
  10. We can only hope with you that the keys will be published in the future. There are now many modifications, NextGens and spin-offs, and there are imitators that fake the look, elements, and even IDs, that GlobeImposter originally had.
  11. Hello This result with your files - https://id-ransomware.malwarehunterteam.com/identify.php?case=d9266107bde4003efe5528480b72460b0bd119ea To achieve the right result need upload a ransom note and a encrypted file. IMG_0462a.jpg.crypt + how_to_recover_files.html = GlobeImposter 2.0 Ransomware The email-address can be used in various ransomware. Actors move from one project to another. But ID is very specific for GlobeImposter and is determined mostly without problems.
  12. Most double and multiple encryptions can't be decrypted because at one stage the file will be unrecoverable. I recently identified this case as 'double encryption': LockBit + Dharma Ransomware. Both are impossible to decipher without paying the ransom. The same 'Telegram contact' is used in double attacks from about August 2020, or it started earlier. Later I recieve and analyzed the sample and found out that this is not Dharma per se. Someone bought the source code of Dharma's predecessor, which was called Crysis, and redid the encryption out of him. To make it look like Dharma's elements. If Emsisoft examines this encryption in more detail, they will tell you the result — can this be decrypted. This requires a deeper research than a superficial view.
  13. With this 'Help', you can determine the type of ID from the note. If something is not clear, ask here.
  14. Hello @Rohit Tiwari This is the result of a 'STOP Ransomware' attack. You downloaded and launched something without reliable protection of your computer and network. They have been attacking PCs all over the world for several years now. Only in some cases can files be decrypted without paying the ransom. Read the help on this case.
  15. Please read this help. There are details about this. If you are confused by a lot of text, read only what I have highlighted for you. Ofline ID + t1
  16. If you attach a file _readme.txt to the message, we will tell you if decryption is possible.
  17. Hello / Salam @Mostafa issa You need to read this Help. It says when you can decrypt the files. The .vari extension is used by a well-known 'STOP Ransomware' that comes in many variants. Only sometimes can files be decrypted.
  18. Emsisoft Decryptor for JSWorm 4.0 As I said above, you need wait the decryption Emsisoft specialist to check your files for decryption. The Emsisoft Decryptor was made for version 4.0.2, and you have 4.0.3. It doesn't look like a new version, most likely you have an old version as well. This needs adjustment. In different versions, the encryption changes, if at first it was possible to decrypt the files, then after small changes, decryption may not be possible. But do not despair, you need to be patient. Decrypting without the original encryption key is a laborious process. Wait for a response from an Emsisoft representative, he will coordinate the information with the file decryption specialist who created the decryptor.
  19. Hello @hoppacuppa GT500 has already answered you. I also replied to your personal message.
  20. Decryption specialists will look at your files. A decryptor has already been made, but it does not decrypt 'JSWORM 4.0' files. Perhaps it will be possible in the future.
  21. You need attach a file JBUIIGF-DECRYPT.hta Note! The file must be archived with a password 123
  22. We have not seen any other cases after March this year. https://support.emsisoft.com/topic/32879-jsworm-403/