Jump to content


Visiting Expert
  • Posts

  • Joined

  • Last visited

  • Days Won


Everything posted by Amigo-A

  1. This is new variant of STOP Ransomware (General description of all variants of STOP Ransomware + Translation into English) Support topic on Bleeping Computer >> The STOPDecrypter is not yet configured for this variant. Wait for the news.
  2. GT500 correct spelling ID - v.029 - .adobee - 43 chars 029jomWJWUJx4MOBq1Tv6LfpSNsowxcHs0IMMsDHhpa /// also was the same 43 chars in v.028 - .adobe /// later there was a change in the length of ID
  3. No. This is not entirely true. This is the oldest service. More than 10 years, at least. I don't remember who started to provide it before. At first it was free tools and we could download them. Over time, as you know, coders became more difficult and shrewd. The computing power of computers and employees cannot always used without payment. They offer help to anyone who wants to get this help. User send files, specialists check if they can decrypt, then inform users that the files can be decrypted. When a user pays for a recovery package, he receives a personalized decryptor (decoder). How much does this service cost? The actual decryption by Dr.Web experts is free, but to get the decryption key and decrypt all files, you need to get a Rescue Pack (rescue package), which includes Dr.Web Security Space's licensed anti-virus protection for 2 years. For users from Russia, the package price is 5299 rubles, and for foreigners - 150 € (euro). The service without the rescue package of Dr.Web is not available. I personally have nothing to do with this. Any of my help to those who are affected from Ransomware is provided without any conditions and free of charge.
  4. Before attempting to restore files you need to remember important conditions for data recovery: - the program, that will restore the data, must be on another disk; - the disk, on which the program will run, should have a lot of free space; - the disk, from which you want to recover data, must be connected to the PC as second; - the PC, that data recovery, will work for many hours without shutting down.
  5. If the topic-starter or other victims will again see this topic. Variants STOP Ransomware with extensions .DATAWAIT, .INFOWAIT can be decrypted in Dr.Web in private request.
  6. Hello Researchers are still hunting the malware sample for the BigBobRoss Ransomware new variant, which encrypts files with the .djvu extension. Keep track of your topic at least once a week. If the sample be found and examined, the Emsisoft Decrypter for BigBobRoss will be updated.
  7. For this case, there may help a new version decrypter. Use the new STOPDdecrypter https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip /// If it doesn't help, need to tell Demonslay335.
  8. This extension was used by Locky Ransomware in a version dated August 17, 2017
  9. For this case, there may be a real solution. Files are encrypted with STOP Ransomware with extension .promok Use the STOPDdecrypter https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip /// If it doesn't help, need to tell Demonslay335.
  10. For this case, there may be a real solution. It is strange that there was no answer. Files are encrypted with STOP Ransomware Use the STOPDdecrypter https://download.bleepingcomputer.com/demonslay335/STOPDecrypter.zip /// If it doesn't help, need to tell Michael.
  11. This STOP Ransomware has a special file delself.bat for self-deletion after encryption, but there may be several active malware on the PC, including different versions and different types. We observed a case of how three different Crypto-Ransomware worked simultaneously. Just a victim without thinking about the situation launched various hacked programs and they at a real time encrypted the files each according to his plan. As a result, all files were encrypted several times and had different extensions with repetitions. is it necessary to say that deciphering such a "crypto porridge" is unrealistic.
  12. The full list of addresses is in my article about STOP Ransomware under the spoiler - Update of March 1, 2019. But the list may change. You can check for a modified file by trying to open these sites. www.emsisoft.com - this you have already opened, if still here. www.windowsupdate.com www.microsoft.com www.ds.download.windowsupdate.com www.update.microsoft.com www.virustotal.com www.drweb.com www.eset.com www.comodo.com www.mcafee.com If all these sites open in your browser, then the host-file has not been modified. This image is only part of an extensive list. At the beginning of March there were 502 addresses with repetitions with www and without www. I checked the file from yesterday's variants with the extension .proden. This host-file has not changed. But there are already new variants. I have not received any samples yet. This infection is very active. Extortionists act brazenly and are not afraid of anything. Perhaps now something else will add.
  13. It's simple, but I am not a support representative. According to the rules of any forum, only support representatives should do this. How to check the PC for the presence of an active infection you will be advised by the forum support service representatives.
  14. If the identifier of the encrypted files is still changing, then perhaps the malicious file is still in the system. Moreover it is necessary to check and reset the host-file. All known STOP-Djvu variants of the Promo subgroup modify it. Most of the known STOP ransomware attacks occurred due to the use of broken or repackaged installers of well-known programs, ranging from MS Office to large application programs.
  15. Hello An earlier description of this Ransomware is available in this article. There in the title there is a link to the translation of the article into English. We collected victims in this topic of support around the world Freelancers tried to find a solution and even decrypt files. You can compare your case with a lot of others, but so far there is no 100% solution to the problem.
  16. IVect A new version of STOPDecrypter has been released for your variant extension today. It is possible that this will help you decrypt the files or big part of them. LInk to decrypter >> For all the nuances please contact the developer - Demonslay335
  17. We all hope so. But our hopes and desires do not always find technical realization. 👋
  18. The list of supported extensions ans OFFLINE-keys is in the program window. Do not try to decrypt files if the extension is not supported. Michael attached a text file with links to archive of STOPDecrypter. It is necessary to read and do as written there. He has 500-600 requests from the victims and does not have time to explain to everyone personally.
  19. I found a message about the variant of Dharma, which using the extension that the topic starter requested. This link to article. This Tweet This quote in article
  20. Of course. This is true. This has recently allowed Kaspersky Laboratories to add new options to the decryption list, which in the ID list of the Ransomware are collected under one Dharma identification (.cezar Family). Despite this, they differ not only in visual indicators. They are distributed by different groups of extortionists from different countries, not only from Ukraine.
  21. I have a good data recovery experience. I would not use such programs. Any free data recovery tools and free versions of such programs can be effective, only if you yourself have deleted the files to the Trash and cleared it. If the disk space that files occupied before encryption was overwritten and / or erased with zeros or garbage, as modern crypto-ransomware do, then even paid versions will not help. Can be recover data after any attack, and even minor damage to the disk space. But this requires a hardware and software complex. This method is time consuming, expensive and hardly a simple PC user will go for it, if only he is a not millionaire. I assume that files after MegaLocker Ransomware can be decrypted. While the work of this Rw is not sufficiently investigated. There are all a few requestы in public forums.
  22. For your information This variant of the Apocalypse Ransomware is described in my article as Apocalypse-Missing Ransomware In the title of the article there is a link to an English translation. The extortionists switched to a more reliable (for themselves) variant of the attack , which was carried out against the topic starter. I think it can be deciphered if someone takes them up. FW broke all old versions when they were actively distributed.
  23. I read about the decoding of .heets files by specialists from another company, but now I can’t find this message. They said that it was a lighter version of decryption than versions that were already decrypted. But I myself did not see the decoding of this variant.
  24. Kevin Zoll Some versions of Dharma Ransomware (old and new) can be decoded by a free decoder from Kaspersky. https://support.kaspersky.com/10556#block1
  25. If in note wrote 'MegaLocker Virus', then this is MegaLocker Ransomware (see the link for visual identification). There is no reason, other than the same extension, to consider this as Nemucod Ransomware.
  • Create New...