Jump to content

Amigo-A

Member
  • Posts

    2187
  • Joined

  • Last visited

  • Days Won

    55

Everything posted by Amigo-A

  1. Yes, I also want to know about it. For now, I recommend victims to take copies of files for the decryption test (I corrected several messages to make these corrections). According to my observations, the victims are still trying to decrypt the files without this recommendation.
  2. If you want to collect files in a separate place and reinstall the system, then save all the files in the same folders in which they were at the time of encryption. This is necessary in the case that I mentioned above - in the presence of different encryption keys and IDs.
  3. Demonslay335 (the developer of the STOPDecrypter) regularly updates the decrypter, complementing the new keys, options, features. This work is voluntary and free. If possible to help personally, he contacts with the victims. Only files encrypted with offline keys can be decrypted. Each computer can have online keys and offline keys encryption. If in PC there is no single file encrypted with offline keys , then in the near future it will not be possible to decrypt the files. Perhaps in the future a method will be found that will allow deciphering all possible cases of encryption after STOP Ransomware.
  4. Yes. HTML files downloaded from attachments contain a text code, which hides email.
  5. Yes, this is the note format and ID of GlobeImposter 2.0 Unfortunately, I did not see the addresses of the ransomware to catalog the case. Forum settings for some reason hide them. For the first time I see this. Why hide the ransomware addresses? These addresses are temporary, it makes no sense to hide them. Identification without addresses of extortionists loses meaning. This is similar to when a forensic expert provided evidence without fingerprints. I looked at my base, has reports of this IGAMI extension (without other data) in March 2019. If it is not difficult for you, copy email-addresses from a ransom note and send it to me in PM.
  6. Unfortunately, this is one of the successful extortionists and no one has yet been able to decrypt the current versions. In the past, there have been cases of decrypting some variants, thanks to a leak of keys.
  7. Marsel Yes, now I can confirm this result. In my article on Dharma Ransomware this extension occurs many times. But it is not used as a separate item, but only as part of a group. For your file ACE.dll.id-16B37617.[[email protected]].gate was used an compound extension .id-16B37617.[[email protected]].gate Email [email protected] is an address of extortionists. This '16B37617' is your ID as victim of Ransomware. This is a general pattern of Dharma Ransomware .id-<id>.[<email>].gate for encrypted files of version with extension .gate
  8. We do not know this variant with the .IGAMI extension. You must attach 2-3 encrypted files and a ransom note from extortionists, to we can say something. You probably used an old GlobeImposterDecrypter that could only decrypt earlier versions of the GlobeImposter a few years ago. Since April 2017, active an other version that service 'ID Ransomware' knows as GlobeImposter 2.0 Since that time, a decrypter for new versions has not been released.
  9. This extension is too common to say anything. You must attach 2-3 encrypted files and a ransom note from extortionists.
  10. Hello, Marsel Identification does not end there. Sometimes automatic identification may be incorrect. Therefore, adjustment and study is required. Prior to our answer, we ask you not to look for any methods for decrypting the Internet. A lot of sites that offer download software solution, that "will do everything". THIS IS A LIE! We continue to investigate files, even if we know that there is currently no way to decrypt. I ask you to tell us the identification results and attach to your message 2-3 encrypted files and files with the ransom requirements. There should be 1 text file and one file with the extension hta or html. Place them in the archive before attaching to the message. If the file size is more than 10 megabytes, then use the www.sendspace.com service to upload the file there and give us a link to download and research.
  11. Such a nuance was a long time ago. After that, Michael changed the StopDecrypter so that he could not damage the files under no action. There even a warning should appear. README.txt
  12. Sometimes there can be such a situation. Check if the Notebook is the default program? Create a simple text file on your Desktop. Write a few words there, save, close and open it renow. What program does it open in? Is it a Notepad or a MS Word? A ransom note should be called _readme.txt
  13. The result of identify of ID Ransomware will be a link to the topic of support on the forum BC, But there is no known way to decrypt files after this version of the Dharma. We are sorry ... This '.id-XXXXXXXX.[[email protected]].ETH' added to your files This 'XXXXXXXX' is your ID as victim of Dharma Ransomware This '[email protected]' is an address of extortionists This '.ETH' is an ending extension for your encrypted files This '.id-XXXXXXXX.[[email protected]].ETH' is an compound extension for your encrypted files This is a general pattern of Dharma Ransomware .id-<id>.[<email>].ETH for encrypted files of version with extension .ETH This is a pattern of Dharma Ransomware .id-<id>.[[email protected]].ETH for your encrypted files
  14. Olá, jaime! O programa malicioso que criptografa arquivos é chamado Parar. Hoje lançou um decoder de STOP Ransomware. Alguns arquivos podem ser decriptografados, mas não todos. Experimente STOPDecrypter. Tente descriptografar alguns arquivos primeiro fazendo uma cópia deles para teste. https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip
  15. Today the STOPDecrypter has been updated with the support of the .sarut extension https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip Try decrypting some files first by making a copy of them for test.
  16. Today the STOPDecrypter has been updated with the support of the .roldat extension https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip
  17. Today the STOPDecrypter has been updated with the support of the .roldat extension https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip
  18. Today the STOPDecrypter has been updated with the support of the .roldat extension https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip Try decrypting some files first by making a copy of them for test.
  19. mario.rossi Today the STOPDecrypter has been updated with the support of the .dutan extension https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip Try decrypting some files first by making a copy of them for test.
  20. Heth I checked. Yes, the Decrypter for MegaLocker does not work with your a ransom note.
  21. Files with extension .todarius has been encrypted a new variant of STOP Ransomware. You need read first post of topic and write need data to message in STOP Ransomware support topic or here.
  22. Anggito A correct extension .fedasot Yes, this is a new variant of STOP Ransomware. We received the first requests on weekend. You need read first post of topic and write need data to message in STOP Ransomware support topic or here.
  23. Hello This data reports that the files are encrypted by the Dharma Ransomware But to be sure 1) you need to upload the ransom note and one encrypted file to the ID Ransomware service 2) attach a ransom note and one encrypted file to your new message. Take these steps and there will be no question of who has encrypted the files.
  24. hellhound08 Upload the ransom note _readme.txt here. This is new variant of STOP Ransomware. There is a STOP Decrypter, but about official support for this variant has not yet been reported. Now is the weekend. Wait for a response from the support service soon.
  25. You should give us more information. Upload the ransom note here. --- Probably, this is new variant of STOP Ransomware. There is a STOP Decrypter, but about official support for this variant has not yet been reported. Now is the weekend. Wait for a response from the support service soon.
×
×
  • Create New...