Jump to content

Amigo-A

Visiting Expert
  • Posts

    2343
  • Joined

  • Last visited

  • Days Won

    61

Everything posted by Amigo-A

  1. Hello. Your files are encrypted with the new STOP Ransomware variant with extension .kiratos This STOP Ransomware successfully, to our general pity, attacks users around the world already a 1,5 year... Decrypting files in some cases is possible with the efforts of Demonslay335 (developer STOP Decrypter). You need to read important information on the link. In the next topic, the other user has already received a solution to the problem. He got lucky. This is not always possible. To some Demonslay335 can help now, but to help everyone is unreal, to our general regret. Demonslay335 updated the STOPDecryptor for new variants.
  2. It is not enough to know only the extension. This extension adds to the encrypted files two known Ransomware (eg. Paradise and GlobeImposter). To be say more precise, you need to attach a ransom note about and several encrypted files to your message or download them through the service www.sendspace.com We will look at your files and inform you more accurately.
  3. Hello. It is a pity that this happened ... You need attach a ransom note and a few encrypted doc, jpg, png files to your first or new post. ---------------------------------------------- Let's also are clarify: Extension look like this? - .ETH Encrypted files look like this? - original_filename.id-XXXXXXXX.[[email protected]].ETH Under XXXXXXXX are letters and numbers. If so, this means that the files are encrypted Dharma Ransomware. Read more: This '.id-XXXXXXXX.[phobos.encrypt@qq.com].ETH' added to your files This 'XXXXXXXX' is your ID as victim of Ransomware This 'phobos.encrypt@qq.com' is an address of extortionists This '.ETH' is an ending extension for your encrypted files This '.id-XXXXXXXX.[phobos.encrypt@qq.com].ETH' is an compound extension for your encrypted files This is a general pattern of Dharma Ransomware .id-<id>.[<email>].ETH for encrypted files of version with extension .ETH This is a pattern of Dharma Ransomware .id-<id>.[phobos.encrypt@qq.com].ETH for your encrypted files
  4. Hello. Your files are encrypted with the new STOP Ransomware variant with extension .kiratos This STOP Ransomware successfully, to our general pity, attacks users around the world already a 1,5 year... Decrypting files in some cases is possible with the efforts of Demonslay335 (developer STOP Decrypter). You need to read important information on the link. Also attach a ransom note and a few encrypted doc, jpg, png files to your first or new post.
  5. According to standard, also you need to upload a copy of every ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with to this site here: https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results would like of we to review them and compare. Sometimes different or incorrect results are possible, because attackers try to deceive ID Ransomware. Therefore, when multi-encrypting, it is important to use the correct pair — a ransom note and an encrypted file. I will help you with this.
  6. Hello. It is a pity that this happened ... I know that the extortionists who use this email and this extension, previously extorted money in another Ransomware-projects. Where they do it now, I only guess... With your help we will known out it. You need to collect different versions of the ransom notes, if you have suffered from 2-3 encryptors. You also need to collect different encrypted files with different extensions and endings in the name (2-3). All that I called, attach to your post. We will look at this to advise you on some solution.
  7. You also can uploading a copy of every ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with: https://id-ransomware.malwarehunterteam.com/ But the result will be the same link to the forum BleepingComputer, because requests of the victims are initially collected there. Demonslay335 will also receive your information if you leave it here.
  8. Hello. Yes, there was a malfunction and some messages could be lost. Fortunately, the forum was promptly restored. Your files are encrypted with the new STOP Ransomware variants with extensions .verasto and .hrosas This STOP Ransomware successfully, to our general pity, attacks users around the world already a 1,5 year... Decrypting files in some cases is possible with the efforts of Demonslay335 (developer STOP Decrypter). You need to read important information on the link.
  9. It seems some of our messages from yesterday are gone after the message about the failure on the forum. I restore the content that remains in the my mail so that the meaning of the conversation is clear. I wrote... I can supplement the information, as I observe the development of this Ransomware-project from the very beginning and from from previous versions. If your files were encrypted with the original Amnesia or Amnesia-2 Ransomware, then they can be decrypted with free Emsisoft tools. If your files were encrypted with the Scarab-Amnesia Ransomware before June 18-19, 2018, they can be decrypted. [I gave this 'Scarab-Amnesia' name to this ransomware, but other sites can borrow it for their own purposes, forgetting to make references to the original source.] But, to our regret, there is no free decryptor, there is only a decryption method that DrWeb offers - a free test-check and the subsequent payment of 150 euro for a Rescue Package with a personalized decryption, which does not work for other victims. Later versions cannot be decrypted in the same way, since the version of the criminal encoder has been updated and the encryption method has changed. If you view the encrypted file using Notepad, then at the end you will see a code that is different from earlier versions. ------------------------ 3AVIT replied... Thanks Amigo. All of your work into this ransomware is much appreciated. I am already down the path - talking with Emmanuel and seeing if DrWeb will work for us. Again - much appreciated. I will keep everyone in the loop. ------------------------ I replied... I hope for a good result together with you.
  10. I thought so, the extension "onwsfp" seemed too random.
  11. Hello, ozgarson The link 'tinypic .com ' does not open for me, here attachments are also not available for download This is previously missed variant of STOP Ransomware. Write me a part of your ID from note, the first 5 characters of ID, so that I can to confirm and add version. Or send the whole ransom note and 2 encrypted files through the service www.sendspace.com And copy the download link hither or in PM. Previously, we did not have this variant STOP Ransomware. It is not new, but further research can help in decrypting. I already told the developer of STOP Decrypter about this variant for confirmation info.
  12. But where to find him, what paths they go, I do not know. 😃 I know, that this is fact and they sell the decryptors for anytime version, but this is all the information. I also listened that they were looking for wholesale buyers. Among those offering services for a fee may be fraudsters, so I warned you - be careful.
  13. We do not know about the free decryption of files encrypted by this Ransomware. But sometimes appear on the horizon are people who have left this ransomware-project, and can decrypt files for a lesser amount than the one requested by extortionists. I don’t know if they can be trusted, so be careful.
  14. This is Dharma Ransomware Michael and Jakub reported him on April 10th.
  15. This is new variant of STOP Ransomware Demonslay335 (Dev of STOPDecrypter) collects information from victims in the main topic of support STOP Ransomware or on Twitter.
  16. pk24 hello Both here and there ... 😃 GT500 Yes, it is real. We call it WDM or DCRTR-WDM Ransomware This Ransomware is not new, because we found and identified him back in November last year. Michael also added it to IDR. ID Ransomware knows the original DCRTR Ransomware and DCRTR-WDM how Dcrtr Ransomware After that, DCRTR-WDM has changed several times. There are samples in my article, also by link pk24 and by another link in the topic on BleepingComputer. New link to archive with exe-files of WDM Ransomware: https://www.sendspace.com/file/khxctl The main EXE-file in the archive is a file svchost.exe23. ------------------------------------------------------------- I hope that after a detailed study by analysts this samples, the detection on VT will be more recognizable. And maybe Emsisoft will recognize how to return the files to the victims.
  17. Michael (dev of ID Ransomware) has already received a message from me and a link to this topic and has already tweeted.
  18. If this happened not the same day, then by the date of the files change you can determine the days of the attack. Analysis of the date of the attack can help identify the weak link (who was working at the PC?) and properly configure the PC protection for the future. If at the PC working you only, then you need to install a complex anti-virus product (e.g. Internet security at 1 month trial) in order to remove the remaining virus files and protect the PC from new attacks. If there is unnamed anti-virus on your PC and no one has been disabled it before the attack, then you need to get rid of it, as soon as possible. AV protection that cannot protect user's files from attacks from outside and even from his wrong actions and from illegitimate programs does not have the right to be on this PC.
  19. Hello. It is a pity that such a thing happened. Instructions with your files.txt - is a note from Paradise Ransomware The extension _c3tfsp_{[email protected]}.sambo added by Paradise Ransomware UQSNORZLPD-MANUAL.txt - is a note from GandCrab 5.2 Ransomware The extension with 10 characters - .uqsnorzlpd - added by GandCrab 5.2 Ransomware Looking at the screenshots I can see that first your files were encrypted by Paradise Ransomware, and then the files were encrypted by GandCrab 5.2 Ransomware
  20. Hello. It is a pity that such a thing happened. I can look at these files, but I cannot download attachments from your message. Send to www.sendspace.com two these ransom notes and give us the download link. And please replace the two non-informative encrypted ini-files to with txt, doc, jpg, png files.
  21. This is new variant of STOP Ransomware (Djvu group). Yesterday there were several requests for help in the Support topic of STOP Ransomware (this is general description in Digest) with norvas extension. This has already been added in ID Ransomware. Therefore, after downloading the ransom note and the encrypted file, you will receive a link to the same support topic.
  22. Yes. Therefore, I trust to Google the auto-translation of the text at my sites into English, because he knows more words and rules in English than I do. But I know more words, phrases, lexical rules, dialects and I have more vocabulary in Russian.
  23. Yes. In this case there is only a small light at the end of the tunnel. At first there was only one my article MegaLocker Ransomware with several variants, then a topic on the BC forum, then a topic on this forum, now an article on the BC website. Victims should somehow unite in this matter, connect the right-guards, because Without technical specialists and equipment technical support services, this question cannot be solved. This vulnerability will continue miss to attacks and Ransomware will continue encrypt information on yours NAS-devices. With forces only of freelancers and AVers do not stop it.
  24. mahmo A pair of files (encrypted and original) for new versions of STOP Ransomware are not needed.
  25. mahmo In this case, we only help the victims who were attacked by this Ransomware and simplify data collection to Michael (dev STOPDecrypter). Now STOP Ransomware is the most active malware and crypto-ransomware. Masshtab of spread - for all countries.
×
×
  • Create New...