Amigo-A

Visiting Expert
  • Content Count

    1322
  • Joined

  • Last visited

  • Days Won

    28

Everything posted by Amigo-A

  1. Yesterday I received a message from Dr.Web specialists that they cannot decrypt the sent files. If there is a better result, they will inform me.
  2. @Hannes and other Yesterday I received a message from Dr.Web specialists that they cannot decrypt the sent files. If there is a better result, they will inform me. Yes, it took 2 months, but they did not give up the calculations and attempts of decrypt continued.
  3. If buying any of them is impossible due to financial difficulties, then you can change them every month. Almost all comprehensive protection products have '30-days trials period' with full-featured protection. You can just try each one before you buy. It is legal and accessible to everyone. You can try as much as you like, enough for 1 year of testing.
  4. Emsisoft Emergency Kit is an on-demand scanner and will not provide you with ongoing protection. Must be used Emsisoft Anti-Ransomware to provide complete protection. Other comprehensive protection providers may have Internet Security or AntivirusPro in their name.
  5. Looking at the description Smadav provided on the developers website, this is just additional protection. It does not and will not provide you with protection from crypto-ransomware. The free version of Panda also won't provide you with the level of protection you need from ransomware. No free or additional antivirus for flash drives will protect your PC and files from programs that encrypt files and penetrate through remote access. Even if you successfully install 5-10 such programs, the ransomware will infiltrate in PC and encrypt your files. It is commonly said that the weakest link in PC security sits between the keyboard and the computer screen. Yes, this is a user, because with his own hand he can launch malware that corrupts the system or encrypts files. I looked at your posts on the forum and read that you always download something from dubious sites and run it to view and use. You never say that you previously checked with AV the downloaded files or uploaded them for verification to the VT site or whatever. Are you checking downloaded files? By the way, in some cases such a check will not help to identify the encoder. But most antiviruses have a cloud-based scan and with its help they can find more of suspicious code in programs. There are also other malicious components in 'STOP Ransomware' encoder and the antivirus should have responded when scanning files on demand.
  6. Also... Attach several encrypted files and a ransom note (only original file) to your message. We will check it manually, investigate and create a description if it is an unknown ransomware.
  7. Perhaps Emsisoft analysts can figure out something. Added identification as 'DeathOfShadow' to the service 'ID Ransomware'
  8. Rar file with password will not be analyzed. The file is protected from research. Here is an open result on VT. https://www.virustotal.com/gui/file/6c7ee3d9bdb647382946f854a517b72a5ddf6d4804fd2fa75a84619c8548d121/detection The encryptor did not show himself in any way.
  9. Your files adslocal.cfg.[FFF0FD830BD189BE0002AE5C0A251B5325].magneto.[01F0FD830BD189BE0002AE5C0A251B5325].eruption.[FFF0FD830BD189BE0002AE5C0A251B5325].magneto.[01F0FD830BD189BE0002AE5C0A251B5325].eruption Log.txt.[FFF0FD830BD189BE0002AE5C0A251B5325].magneto.[01F0FD830BD189BE0002AE5C0A251B5325].eruption.[FFF0FD830BD189BE0002AE5C0A251B5325].magneto.[01F0FD830BD189BE0002AE5C0A251B5325].eruption Your files were encrypted four times by different variants of this ransomware. This indicates that the malware is still active on your PC. Variant with .eruption extension - used since June. Variant with .magneto extension - appeared in August. My Article in Digest "Crypto-Ransomware" It is urgent to neutralize the infection, otherwise it will prevent you from using your PC. Due to the different extensions, I can assume that even two variants of this ransomware are active if they encrypt files alternately.
  10. Attach a ransom note and several encrypted files to your message. Place the executable file in an archive with a password 'infected' and also attach to the message.
  11. Hello, @hartok It looks like "offline ID" if you haven't changed anything in it. You probably need to read a little "Help" on this.
  12. Attach several encrypted files and a ransom note to your message. Do not change or edit anything in these files.
  13. Yes, files with .pykw extension cannot be decrypted using the pair 'encrypted file + original file' option. This option is only for older versions when different encryption was used. The decryption key for .pykw extension has not yet been loaded into the decryptor, so it cannot decrypt files yet. This will be done after someone pays the ransom and voluntarily shares the decryption key with the decryption service Emsisoft.
  14. Hello @Axel I just checked. No, as long as this variant cannot be decrypted. Nobody provided the key. You have already checked your PC for this and other malware? There may be a infostealer left there.
  15. This is the result of a 'STOP Ransomware' attack. New variant. Read this guide.
  16. The encrypted files of that time can be decrypt in some cases. You need to read this manual to use the decryption service and teach him to decrypt your files.
  17. This is the result of a 'STOP Ransomware' attack The first case with the .bopador extension occurred on July 24, 2019.
  18. Zdravo Slobodan I recommend leaving for the future. Sometimes malware and ransomware distributors shut down their projects and release keys so they can be applied. There is only a 1-2 out of 100 chance that this will happen, but it is not 0.
  19. Attach to message a file _readme.txt
  20. Attach several encrypted files and a ransom note to message.
  21. Yes, this is the result of Phobos Ransomware attack. The variant with this address has been known since March 2020. Until now, none of the decryption specialists and anti-virus labs have reported that they are close to decryption. Therefore, if someone on the Internet offers you a decryption, then it will certainly be another scammer. First let us know and we will check their "super-capabilities".
  22. No. In this case, it is wrong to talk about percentages. Most likely, they could steal some data before they started encryption. In extortion, encryption can be the second or even third element of an attack. For example, the model may be as follows: first, the Trojan downloader is introduced, then surveillance is carried out, desktop screenshots are taken and a list of frequently opened files and folders of visited sites is compiled. The obtained preliminary information is easily sent to the attacker server, processed, then a command is issued to additionally download the “interesting” parts. After downloading information to the attackers, with which they can blackmail and confirm the ability to decrypt files, a command is issued to encrypt the files. This may be of one or more days in the case of STOP Ransomware. Above, I gave you a link to the analysis in which Ursnif takes top place. You can search by this name or use the links to articles that appear in this link if you click on the name 'Ursnif Malware'. It has been used to steal data for about 7 years or more. If the extortionists, who uses STOP Ransomware for encryption has adopted this tool, it means that it’s not just like that. Rest assured that they will try to get the maximum benefit out of affected PC if their malware is not destroyed.
  23. Two-factor authentication also has its own vulnerabilities. SMS is an unreliable security element. If no one tried and logged into your account before you safely changed your passwords, then this time you probably have secured the data in the disk.