Amigo-A

Visiting Expert
  • Content Count

    385
  • Joined

  • Last visited

  • Days Won

    3

Everything posted by Amigo-A

  1. Description Ryuk and Ryuk 2.0 Ransomware >>
  2. This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. The malware variant of STOP ransomware, which has been encrypted files and added the .truke extension to them, was active in November-December 2018.Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. @Demonslay335 (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. Download STOP Decrypter >>> First try to decrypt a small group of files, only make copies of them before this. If STOPDecrypter won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter --- A important message about the need to check the PC so that the malware does not encryption new files or not recoded the encrypted files. --- While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers, which infect and will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check PC and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forum😞 https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/
  3. After such an operation, some files (PDF among them) may open if partial encryption was done there. If you compare the original files with them, then you can find the differences. But among the many variants Ransomware we have seen cases: - when files could partially open after such an operation; - when files were not encrypted at all; - when files were damaged due to encryption error.
  4. Oui, vous pouvez maintenant voir que vos fichiers sont cryptés avec Sodinokibi Ransomware. Mon identification est vérifiée. --- Yes, now you can see that your files are encrypted with Sodinokibi Ransomware. My identification is verified.
  5. This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. The malware variant of STOP ransomware, which has been encrypted files and added the .stone extension to them, was active in November-December 2018.Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. @Demonslay335 (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. Download STOP Decrypter >>> First try to decrypt a small group of files, only make copies of them before this. If STOPDecrypter won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers, which infect and will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check PC and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/
  6. @Norddine I uploaded your files for identification on the service. This is the result of automatic identification. https://id-ransomware.malwarehunterteam.com/identify.php?case=00c9e1a49467070520f39e5d94f9d1173fbb1d31
  7. For proper identification, you need to upload a note r8b756g899-readme.txt and one encrypted file. Sodinokibi is identified by a number of known signs. Attach files here or upload to service ID Ransomware.
  8. Hello @Chris The Sodinokibi Ransomware is still under research and not a single file decryption tool has been released. For proper identification, you need to upload a note and one encrypted file. Sodinokibi is identified by a number of known signs.
  9. This is still under research and not a single file decryption tool has been released.
  10. Hello This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. The malware variant of STOP ransomware, which has been encrypted files and added the Pumax extension to them, was active in November-December 2018.Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. @Demonslay335 (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. Download STOP Decrypter >>> First try to decrypt a small group of files, only make copies of them before this.
  11. Yes, now it is known for sure, that your files are encrypted by Sodinokibi Ransomware. My identification is accurate. So that there is no doubt, I also uploaded the note file and your encrypted file to the service ID Ransomware. The results of my and automatic identification are the same. https://id-ransomware.malwarehunterteam.com/identify.php?case=ed59f3576d54aefba856f2a26ecf4567fd4c0db0
  12. There is no chance at this time, but in the future a method may appear that will help to do this.
  13. Different malicious programs can hide in different ways. If you did a reinstall as you said, then it should not remain in the system. But perhaps you have saved some files in which there was an installation or boot file of this malware.
  14. @torikf Hello I have already identified the Sodinokibi Ransomware, who encrypted your files, but I need to confirm this. Attach also that original file of ransom note from which you copied this text. Or confirm that the ransom note is called ej5squ-readme.txt It is correctly?
  15. @TecnoMania2020 The logs do not contain information about malicious files. Probably, 360 Total Security did the cleaning.
  16. Michael updated STOPDecrypter v2.1.0.13 with the OFFLINE key for .neras. OFFLINE ID: fl1QN31tuQBZKd6Q43Bemee0EycF0HBYEjwpQTt1 https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip
  17. Yes, there is only paid, which provide extortionists. But extortioners cannot be trusted, they can hide with money, they can make a mistake and provide a broken decryptor, or their server can be turned off. There are too many probabilities that the money will be wasted.
  18. ZYASPGNF-MANUAL.txt - this file of ransom note from GandCrab 5.2 84I5806DL2N.txt.zyaspgnf - this file has been encrypted GandCrab 5.2 script.ps1 - file from other Ransomware
  19. There is no free way and no free file decryption tool. Alas.
  20. These addresses are used by extortionists who activated a Maoloa Ransomware that was similar to GlobeImposter-2, but different in a number of ways. I singled out this extortionist with variants in a separate article. In the title there is a link to an English translation. Extension .Horse4444 - This is new variant of Maoloa Ransomware, but only the extension changes there.
  21. If a remote server of extortioners is used at the time of decryption, then this may be the explanation of the reason. It could be disconnected from the source of electricity or blocked. Try with another group of files when the Internet is connected.
  22. You also need to know the following... Demonslay335 (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. And it cannot be decrypted yet. You need to wait for the new version, where it will be supported. When this is be supported, the decryptor will be updated and you will need to download the file. Download STOP Decrypter >>> First try to decrypt a small group of files, only make copies of them before this. If and then STOPDecrypter won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter
  23. This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. This is possible only in case where the files were encrypted with offline keys and an instance of the malware was detected. While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers, which infect and will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check PC and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/