Jump to content

Amigo-A

Visiting Expert
  • Posts

    2288
  • Joined

  • Last visited

  • Days Won

    56

Everything posted by Amigo-A

  1. @ahmed kotb This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. This is possible only in case where the files were encrypted with offline keys and an instance of the malware was detected. Demonslay335 (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. Download STOP Decrypter >>> First try to decrypt a small group of files, only make copies of them before this. If STOPDecrypter won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers, which infect and will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check PC and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/
  2. readme.txt is a very common name for all ransom notes. You can also upload to here this note and several encrypted files if you want me to confirm the identification or provide details.
  3. I keep in contact with Michael when this happens, from the beginning of multilingual version IDR.
  4. It is a pity, I said above, that every time these extortionists change something. Very changeable Ransomware. The previous versions they could decipher. It was also with Scarab Ransomware, decrypted easily, then it became difficult, and later decrypt could not feasible. Impossible now - maybe in the future. No need to delete files if they are valuable to you.
  5. While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Note: If anything that appears suspicious is found in your logs, then your post will be moved into a new topic to facilitate better communication between you and whoever is assisting you. We'll also try to make sure that you are following the new topic so that you receive e-mail notifications when someone replies to it.
  6. If STOPDecrypter can't recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter
  7. @yousef_elmalk from your logs Uninstall Reimage Protector. It will not protect your PC. If all this was on your PC before the STOP Ransomware attack with the .kiratos extension, then it should be clear that this will not protect your PC and he will be attacked again.
  8. @mdaher It will not protect your PC. Uninstall it.
  9. In the first post there is your a ransom note.
  10. It may be in other folders with encrypted files.
  11. @AdMiRaL Also look for a note HOW TO DECRYPT FILES.hta. It usually looks like an icon in a blue frame. He should be on your desktop also. Some antiviruses fear and delete this type of note in Quarantine.
  12. Yes of course. They do not require it. This is a new version and...
  13. @AdMiRaL @ Bojan Atanasijevic No need to pay anything in advance! They will report in an open you ticket if the files can be decrypted and give instructions for payment and so on. In contrast, in ESET company, which also provides paid file decryption, they offer to buy a license first, and later try to decrypt files. --- These are anti-virus companies known worldwide. After purchasing a package with a licensed program, the buyer becomes a legal user and customer of the company. DrWeb and ESET decrypt files for their clients free and without any problems, if the protection they purchased was already on the PC and was active, i.e. did not expired and not be turned off at the time of the attack. I have nothing to do with them and I is no user from their programs now. --- Do not use the services of various intermediaries and companies that declare about decryption on the Internet! This is a 99% deception and change in the value of the ransom. In many countries of the world by law, the one who (a group of persons, an intermediary, a person, a company) conspires with the criminals, is a co-member of the crime and is also prosecuted. This does not apply to victims, of course...
  14. @AdMiRaL @ Bojan Atanasijevic The files after DCRTR-WDM Ransomware's attack can be decrypted by Dr.Web specialists. DrWeb classification it as Trojan.Encoder.26981, Trojan.Encoder.27259 and others. Dr.Web specialists perform the decryption itself for free, but to get the decryption key and decrypt all files, you need to get a Rescue Pack (rescue package), which includes Dr.Web Security Space's licensed anti-virus protection for 2 years. For users from Russia, the package price is 5299 rubles, and for foreigners - 150 € (euro). This service without the rescue package of Dr.Web is not available. Offecial English link: https://legal.drweb.com/encoder/?lng=en There is also support for other languages. Test decrypt be done for free. It is necessary to send both notes about the ransom and encrypted files of different formats. You must this be done independently, without intermediaries. I know that over the past 6 months there have been several happy occasions. Can be decrypt your files? I dont know. Extortionists could change the encryption so that it was impossible to determine the decryption key. It is always expected.
  15. Sorry, I was distracted by an urgent call and I did not have time to finish the message. Wait a moment, I write details.
  16. Bojan Atanasijevic gave us two scrap files: HOW TO DECRYPT FILES.txt + HOW TO DECRYPT FILES.hta With upload txt- and tha-notes there will be two results. One will point to the Xorist, and the other to Dharma. https://id-ransomware.malwarehunterteam.com/identify.php?case=03ab5d464383972db0e5e170d2d4bc2082ab003d https://id-ransomware.malwarehunterteam.com/identify.php?case=7391784c146c9cb877fffcc1b7eb9e07f993d3ab Both do not reflect the accuracy, because the extortionists use the names that are characteristic of these two Ransomware to deceive the identification service. This is DCRTR-WDM Ransomware . In the service, it is identified as DCRTR Ransomware (as general item DCRTR Family) No free decryptor.
  17. Realistically. But the Xorist identification is incorrect. Reality needs to be clarified to the end. Extortionists use the name of the note from Xorist to deceive identification. This is a well-known technique. Service is not to blame.
  18. @AdMiRaL @Bojan Atanasijevic The usual recommendation on the forum is to upload a note and an encrypted file to the service ID Ransomware. Did you do it? Upload 1 note HOW TO DECRYPT FILES.txt + 1 encrypted file. Then 1 note HOW TO DECRYPT FILES.hta + 1 encrypted file. --- I already did this using the files you uploaded, but I want you to do this and see for yourself. And then copy the links to the results and paste here.
  19. Need to check your PC and make sure that no Ransomware components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ You can use Emsisoft Anti-Malware Home (30 days for free) to scan your system, disks and be safe until you decide how to protect your PC and information on drives. Just do not remove the Quarantine, let the specialists from Emsisoft see it.
  20. @Antonio Felix This also text from Phobos Ransomware. You have already been told that for him there is no free decryptor. Before Phobos, the files were encrypted by another encryptor. One encryption overlaid another.
  21. @Antonio Felix Amendment! Your file you downloaded now has a name: ***marZo.xls.crypted.id[9EF7A78C-1023].[[email protected]].actin Here the 1st part of .id [9EF7A78C-1023].[[email protected]].actin reports that the file is encrypted with Phobos Ransomware, this can be seen even without special tools. The 2st part of .crypted reports that before Phobos the file was encrypted by another encryptor. Thus, your file has been encrypted twice. The .crypted extension is very common. If you find another note, can be find out which encryptor was the first. This is necessary not for sporting interest or mere curiosity, but in order to exclude all possible ways of penetration into the system and methods of attack of your PC.
  22. I would like the victims to download at least a note and 1 file, rather than leaving immediately in an unknown direction. It is possible at one glance and without IDR to identify in this note a new version of the Scarab Ransomware, about which we do not know.
  23. Yes, it is the same GlobeImposter-2. You are welcome.
  24. There are several suspicious files, also check with the Emsisoft Emergency Kit https://www.emsisoft.com/en/home/emergencykit/ Do not delete the quarantine until you show the results or a screenshot.
  25. @bangjonijoni While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components for encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/
×
×
  • Create New...