Jump to content

Amigo-A

Visiting Expert
  • Posts

    2436
  • Joined

  • Last visited

  • Days Won

    61

Everything posted by Amigo-A

  1. Hello This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017, this is earlier than many antivirus programs. Some of them announced the discovery of one of the variants of this Ransomware only in August 2018, when there was a massive attack on residents of many countries. Unfortunately, this attack continues. Now on the forum a lot of victims from different options of this extortionist. In some cases, the files can be decrypted. This is possible only in case where the files were encrypted with offline keys and an instance of the malware was detected. Demonslay335 (the developer of the decoder) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. To identify this Ransomware and confirm my information, you can use the service ID Ransomware.He will give you a link to the support topic on the BleepingComputer forum, you need to read the first post of the topic and inform the requested information there or here - Mac-address of network device. --- If STOPDecrypter can't recover your files, then it can be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter Also, while most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/
  2. Hello Archive the original .hta file and attach to your post. Attach an archive with several encrypted files. If there is another note in text format, then also attach it to your message.
  3. The support team will review the logs and tell you what to do. Do not depart from the topic, it is important for you, wait for the answer of the specialist and the final decision.
  4. Hello This is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017, this is earlier than many antivirus programs. Some of them announced the discovery of one of the variants of this Ransomware only in August 2018, when there was a massive attack on residents of many countries. Unfortunately, this attack continues. Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. This is possible only in case where the files were encrypted with offline keys and an instance of the malware was detected. Demonslay335 (the developer of the decoder) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. To identify this Ransomware and confirm my information, you can use the service ID Ransomware.He will give you a link to the support topic on the BleepingComputer forum, you need to read the first post of the topic and inform the requested information there or here - Mac-address of network device. --- If STOPDecrypter can't recover your files, then it can be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter Also, while most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/
  5. @MitarX To identify this Ransomware you can use the service ID Ransomware. He will give you a link to the support topic on the BleepingComputer forum. This may be GlobeImposter-2 Ransomware, but it may be different. Now there are imitators for him. But, unfortunately, there are no free ways to decrypt files after GlobeImposter-2. I need to see the original ransom note html-file. Please archive it without a password and attach it to your message. Do not attach it to the message without the archive, otherwise the file will be changed. If the ransom note file is in the TXT-format, you can simply attach it to the message without archiving. Also place in another archive and attach several encrypted files to the message (jpg, png, doc, txt). If their size is larger than the allowed attachment, then upload this archive to www.sendspace.com and give us a link to download.
  6. In addition, I ask you to upload some encrypted files and a ransom note here. There are many cases when identification can combine different variants (notes, addresses, etc.), and only manually we can indicate the correct version.
  7. Sodinokibi exists already one and a half month.
  8. My file was created with first time. 😏
  9. Grishka How can you carelessly visit these sites? Even when opening a page of computer suffer attacks JS, fake flash player and something else. Today, torrent files can certainly be malicious 90%. This 10 years ago it was still possible to safely download a torrent file and launch it with the hope that it would download exactly what you wanted. And then there were already attacks with opening and substitution content. GT500
  10. By the pace at which the malicious campaign is developing, spreading this Sodinokibi, I see that they are not doing this for the first time. Previously, researchers independently of each other noted kinship with another "sensational" Ransomware. I will not give his name so as not to contribute to his popularity. [They have robbed people of several billion dollars and recently reported the closure of this Ransomware-project]. But the fact of the alleged relationship may indicate that the actors, who stand behind him could have previously taken part in the dissemination of the extortioner, which I do not call.
  11. OK. Thanks This will be sufficient to summarize the available information and compile a description. Later I will add a link to the article. But to try to decrypt, need to find and investigate a sample of the malicious file. Let there be two different places where you placed the information. Since not all researchers visit both forums.
  12. Only extortioners currently have a paid decrypter. We need samples of the encrypted files and the original ransom note for research and detail identification.
  13. This identification is incorrect or there is a relationship between encoders. --- BURAN has appeared recently. It is promoted at underground forums. It takes time to explore his work and then try to make a decoder (decrypter).
  14. Grishka This is Buran Ransomware We need samples of the encrypted files and the original ransom note for research and detail identification.
  15. Biju In this case, all of the above applies to you too.
  16. The JS file in the attachment is malicious. I do not know its functionality, perhaps the loader. Usually they are used to load or run the main file of the encoder. Researchers have enough samples of different options. No one has reported the decryptor.
  17. The support team will review the logs and tell you what to do. Do not depart from the topic, it is important for you, wait for the answer of the specialist and the final decision.
  18. The support team will review the logs and tell you what to do. Do not depart from the topic, it is important for you, wait for the answer of the specialist and the final decision.
  19. Probably, this is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017, this is earlier than many antivirus programs. Some of them announced the discovery of one of the variants of this Ransomware only in August 2018, when there was a massive attack on residents of many countries. Unfortunately, this attack continues. Now on the forum a lot of victims from different options of this extortionist. In some cases, the files can be decrypted. This is possible only in case where the files were encrypted with offline keys and an instance of the malware was detected. Demonslay335 (the developer of the decoder) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. Note: To identify this Ransomware and confirm my information, you can use the service ID Ransomware.He will give you a link to the support topic on the BleepingComputer forum, you need to read the first post of the topic and inform the requested information there or here - Mac-address of network device. --- If STOPDecrypter can't recover your files, then note that it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter Also, while most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/
  20. Probably, this is the result of the STOP Ransomware attack. I have been tracking the malicious work of this program since December 2017, this is earlier than many antivirus programs. Some of them announced the discovery of one of the variants of this Ransomware only in August 2018, when there was a massive attack on residents of many countries. Unfortunately, this attack continues. Now on the forum a lot of victims from different options of this extortionist. In some cases, the files can be decrypted. This is possible only in case where the files were encrypted with offline keys and an instance of the malware was detected. Demonslay335 (the developer of the decoder) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. Note: To identify this Ransomware and confirm my information, you can use the service ID Ransomware.He will give you a link to the support topic on the BleepingComputer forum, you need to read the first post of the topic and inform the requested information there or here - Mac-address of network device. --- If STOPDecrypter can't recover your files, then note that it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter: https://kb.gt500.org/stopdecrypter Also, while most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums): https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/
  21. You have provided very little information ...
  22. At the moment there are no free decrypters for Sodinokibi Ransomware. This Ransomware is still being studied. There are several different variants. I described his early version in April, but have not yet completed the information. It differs little from the first sample, except new text on blue background.
×
×
  • Create New...