Jump to content

Amigo-A

Visiting Expert
  • Posts

    2436
  • Joined

  • Last visited

  • Days Won

    61

Everything posted by Amigo-A

  1. This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. The malware variant of STOP ransomware, which has been encrypted files and added the .stone extension to them, was active in November-December 2018.Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. @Demonslay335 (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. Download STOP Decrypter >>> First try to decrypt a small group of files, only make copies of them before this. If STOPDecrypter won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers, which infect and will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check PC and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/
  2. @Norddine I uploaded your files for identification on the service. This is the result of automatic identification. https://id-ransomware.malwarehunterteam.com/identify.php?case=00c9e1a49467070520f39e5d94f9d1173fbb1d31
  3. For proper identification, you need to upload a note r8b756g899-readme.txt and one encrypted file. Sodinokibi is identified by a number of known signs. Attach files here or upload to service ID Ransomware.
  4. Hello @Chris The Sodinokibi Ransomware is still under research and not a single file decryption tool has been released. For proper identification, you need to upload a note and one encrypted file. Sodinokibi is identified by a number of known signs.
  5. This is still under research and not a single file decryption tool has been released.
  6. Hello This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. The malware variant of STOP ransomware, which has been encrypted files and added the Pumax extension to them, was active in November-December 2018.Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. @Demonslay335 (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. Download STOP Decrypter >>> First try to decrypt a small group of files, only make copies of them before this.
  7. Yes, now it is known for sure, that your files are encrypted by Sodinokibi Ransomware. My identification is accurate. So that there is no doubt, I also uploaded the note file and your encrypted file to the service ID Ransomware. The results of my and automatic identification are the same. https://id-ransomware.malwarehunterteam.com/identify.php?case=ed59f3576d54aefba856f2a26ecf4567fd4c0db0
  8. There is no chance at this time, but in the future a method may appear that will help to do this.
  9. Different malicious programs can hide in different ways. If you did a reinstall as you said, then it should not remain in the system. But perhaps you have saved some files in which there was an installation or boot file of this malware.
  10. @torikf Hello I have already identified the Sodinokibi Ransomware, who encrypted your files, but I need to confirm this. Attach also that original file of ransom note from which you copied this text. Or confirm that the ransom note is called ej5squ-readme.txt It is correctly?
  11. @TecnoMania2020 The logs do not contain information about malicious files. Probably, 360 Total Security did the cleaning.
  12. Michael updated STOPDecrypter v2.1.0.13 with the OFFLINE key for .neras. OFFLINE ID: fl1QN31tuQBZKd6Q43Bemee0EycF0HBYEjwpQTt1 https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip
  13. Yes, there is only paid, which provide extortionists. But extortioners cannot be trusted, they can hide with money, they can make a mistake and provide a broken decryptor, or their server can be turned off. There are too many probabilities that the money will be wasted.
  14. ZYASPGNF-MANUAL.txt - this file of ransom note from GandCrab 5.2 84I5806DL2N.txt.zyaspgnf - this file has been encrypted GandCrab 5.2 script.ps1 - file from other Ransomware
  15. There is no free way and no free file decryption tool. Alas.
  16. These addresses are used by extortionists who activated a Maoloa Ransomware that was similar to GlobeImposter-2, but different in a number of ways. I singled out this extortionist with variants in a separate article. In the title there is a link to an English translation. Extension .Horse4444 - This is new variant of Maoloa Ransomware, but only the extension changes there.
  17. If a remote server of extortioners is used at the time of decryption, then this may be the explanation of the reason. It could be disconnected from the source of electricity or blocked. Try with another group of files when the Internet is connected.
  18. You also need to know the following... Demonslay335 (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. And it cannot be decrypted yet. You need to wait for the new version, where it will be supported. When this is be supported, the decryptor will be updated and you will need to download the file. Download STOP Decrypter >>> First try to decrypt a small group of files, only make copies of them before this. If and then STOPDecrypter won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter
  19. This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. This is possible only in case where the files were encrypted with offline keys and an instance of the malware was detected. While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers, which infect and will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check PC and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/
  20. Here, on the forum, there were already 5 topics with the same variant of GlobeImposter-2. I posted links to samples uploaded to VirusTotal. But decrypt files after it will not work.
  21. We identify all new variants under the CryptoMix-Revenge Ransomware group. Last year there was already one variant with the extension of the .SYS, but with other contacts. I did not make a separate article then, and added it below after the article to a section for appendices. Name within the family: CryptoMix-SYS Ransomware If it will be distributed more, I will make a separate description. But there is no free decryptor for this variant.
  22. @BJammin Hello When (date) did the files encryption happen? Attach to the message or send me in PM the original file of the ransom note and two encrypted files. Do not change or edit anything. The primary source of information on CryptoMix-DLL Ransomware is my site. I uploaded the malware samples to the analysis services and gave the link to the BleepingComputer representative. All other descriptions of this ransomware are secondary or info-theft if they do not provide a link to the primary source. The Sys-variant of CryptoMix is described in the main topic as an update (section after the article).
  23. @ahmed kotb This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017. Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. This is possible only in case where the files were encrypted with offline keys and an instance of the malware was detected. Demonslay335 (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. Download STOP Decrypter >>> First try to decrypt a small group of files, only make copies of them before this. If STOPDecrypter won't be able to recover your files yet, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers, which infect and will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check PC and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/
  24. readme.txt is a very common name for all ransom notes. You can also upload to here this note and several encrypted files if you want me to confirm the identification or provide details.
×
×
  • Create New...