Jump to content

Amigo-A

Visiting Expert
  • Posts

    2281
  • Joined

  • Last visited

  • Days Won

    56

Everything posted by Amigo-A

  1. In addition, I ask you to upload some encrypted files and a ransom note here. There are many cases when identification can combine different variants (notes, addresses, etc.), and only manually we can indicate the correct version.
  2. Sodinokibi exists already one and a half month.
  3. My file was created with first time. 😏
  4. Grishka How can you carelessly visit these sites? Even when opening a page of computer suffer attacks JS, fake flash player and something else. Today, torrent files can certainly be malicious 90%. This 10 years ago it was still possible to safely download a torrent file and launch it with the hope that it would download exactly what you wanted. And then there were already attacks with opening and substitution content. GT500
  5. By the pace at which the malicious campaign is developing, spreading this Sodinokibi, I see that they are not doing this for the first time. Previously, researchers independently of each other noted kinship with another "sensational" Ransomware. I will not give his name so as not to contribute to his popularity. [They have robbed people of several billion dollars and recently reported the closure of this Ransomware-project]. But the fact of the alleged relationship may indicate that the actors, who stand behind him could have previously taken part in the dissemination of the extortioner, which I do not call.
  6. OK. Thanks This will be sufficient to summarize the available information and compile a description. Later I will add a link to the article. But to try to decrypt, need to find and investigate a sample of the malicious file. Let there be two different places where you placed the information. Since not all researchers visit both forums.
  7. Only extortioners currently have a paid decrypter. We need samples of the encrypted files and the original ransom note for research and detail identification.
  8. This identification is incorrect or there is a relationship between encoders. --- BURAN has appeared recently. It is promoted at underground forums. It takes time to explore his work and then try to make a decoder (decrypter).
  9. Grishka This is Buran Ransomware We need samples of the encrypted files and the original ransom note for research and detail identification.
  10. Biju In this case, all of the above applies to you too.
  11. The JS file in the attachment is malicious. I do not know its functionality, perhaps the loader. Usually they are used to load or run the main file of the encoder. Researchers have enough samples of different options. No one has reported the decryptor.
  12. The support team will review the logs and tell you what to do. Do not depart from the topic, it is important for you, wait for the answer of the specialist and the final decision.
  13. The support team will review the logs and tell you what to do. Do not depart from the topic, it is important for you, wait for the answer of the specialist and the final decision.
  14. Probably, this is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017, this is earlier than many antivirus programs. Some of them announced the discovery of one of the variants of this Ransomware only in August 2018, when there was a massive attack on residents of many countries. Unfortunately, this attack continues. Now on the forum a lot of victims from different options of this extortionist. In some cases, the files can be decrypted. This is possible only in case where the files were encrypted with offline keys and an instance of the malware was detected. Demonslay335 (the developer of the decoder) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. Note: To identify this Ransomware and confirm my information, you can use the service ID Ransomware.He will give you a link to the support topic on the BleepingComputer forum, you need to read the first post of the topic and inform the requested information there or here - Mac-address of network device. --- If STOPDecrypter can't recover your files, then note that it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter Also, while most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/
  15. Probably, this is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017, this is earlier than many antivirus programs. Some of them announced the discovery of one of the variants of this Ransomware only in August 2018, when there was a massive attack on residents of many countries. Unfortunately, this attack continues. Now on the forum a lot of victims from different options of this extortionist. In some cases, the files can be decrypted. This is possible only in case where the files were encrypted with offline keys and an instance of the malware was detected. Demonslay335 (the developer of the decoder) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. Note: To identify this Ransomware and confirm my information, you can use the service ID Ransomware.He will give you a link to the support topic on the BleepingComputer forum, you need to read the first post of the topic and inform the requested information there or here - Mac-address of network device. --- If STOPDecrypter can't recover your files, then note that it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter Also, while most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/
  16. You have provided very little information ...
  17. At the moment there are no free decrypters for Sodinokibi Ransomware. This Ransomware is still being studied. There are several different variants. I described his early version in April, but have not yet completed the information. It differs little from the first sample, except new text on blue background.
  18. Imitators can also fool the service iD Ransomware, so regardless of the results that you get on the site ID Ransomware, do the following... I need to see the original ransom note html-file. Please archive it without a password and attach it to your message. Do not attach it to the message without the archive, otherwise the file will be changed. Also place in another archive and attach several encrypted files to the message (jpg, png, doc, txt). If their size is larger than the allowed attachment, then upload this archive to www.sendspace.com and give us a link to download.
  19. To identify this Ransomware you can use the service ID Ransomware. He will give you a link to the support topic on the BleepingComputer forum. This may be GlobeImposter-2 Ransomware, but it may be different. Now there are imitators for him. But, unfortunately, there are no free ways to decrypt files after GlobeImposter-2.
  20. This has already been discussed before.
  21. The support team will review the logs and tell you what to do. Do not depart from the topic, it is important for you, wait for the answer of the specialist and the final decision.
  22. The support team will review the logs and tell you what to do. Do not depart from the topic, it is important for you, wait for the answer of the specialist and the final decision.
×
×
  • Create New...