Jump to content


  • Posts

  • Joined

  • Last visited


0 Neutral
  1. have you tried their decryptor on their page?: https://decrypter.emsisoft.com/ there's a 'how to use' guide. don't format the machine yet!
  2. Try looking through these guys' decryption page: https://decrypter.emsisoft.com/ You may be able to identify yours there.
  3. First one on thier decryptor page: https://decrypter.emsisoft.com/ Hope you guys haven't formatted the infected machine yet (as I did!). If so, the files are gone. The virus makes a .db file on the infected workstation that contains the missing data and decryption keys of each file in ruins. If you've wiped the machine, that .db file is gone along with any hope of recovery.
  4. An additional question, and please pardon me if my nomenclature is off. Is NemucodAES known to worm (if i'm using that correctly)? The workstation that was hit, did damage a few dozen (60 or so) files on a shared network folder. The workstation has been formatted, reinstalled. We are still picking through and replacing affected network files. Should I be concerned that it could become active from the network machine? Or was active software removed when I formatted the workstation? Two weeks now since the attack, and there has been no sign of additional activity, but I thought I would ask in case some dormant period is typical.
  5. Thank you for your input. Now I can confidently release my last sliver of hope and move on. I've learned much from this. I appreciate everyone here's contribution to battle. Best of luck, Paul
  6. So you believe that it is the new variant NemucodAES then? It all hinges on the diagnosis doesn't it.
  7. I see on the https://decrypter.emsisoft.com/ page the NemucodAES showed up today. This seems quite similar to what hit us. The visual formatting of the ransom note is identical, but there are a couple differences in the note content (e.g. the bitcoin amounts, the browser links, etc.). I've gone through the other ransom ware descriptions on that page and nothing matches exactly. The couple that don't rename affected files, seem to have very different looking ransom notes than ours. (Are major ransom note differences that conclusive?) Yeesh, I hope it's not NemucodAES as we already formatted the workstation (AAAHHHHHH...!!!!). But assuming it is for moment: At this point it is files in a mapped server folder that we wish to decrypt. Would the decryption key and data from these files still be on the infected workstation? And so lost to me? EDIT: I believe I've answered the 2nd question. Numerous "Thumbs.db" are the only *.db files on the server. I doubt it's any of those. Just grasping at this point really. The first question regarding ransom note differences remains.
  8. Hello Gracious Emsisoft Folks, Virus hit a workstation Friday (Jan 07 '17) via email .zip attachment. It encrypted the workstation and several mapped-drive server files. At this point: Workstation has been formatted and received fresh installs of OS, etc., unfortunately before we knew to grab any file the virus may have left on the desktop. The virus did not rename the corrupted/encrypted files Several encrypted files on server have been archived in their current, unfortunate state and are ready for decryption attempts. Attached is a pic of ransomware note that popped up on the workstation. I still have the original offending email, with the .zip attachment, in my email software's (Thunderbird) "trash" folder. I tried to upload a pair of files (one encrypted and one not encrypted) to this post although the encrypted file's upload failed A local outfit identified it as Nemucod, somehow based on the attached screen shot. They pointed me towards your Nemucod decryptor, but I did not have success ( the "no key found" message blossoms). It seems the local folks could be wrong on the identification though as your decrypt page states that Nemocod renames with a *.crypted suffix, and this was not the case with my files. I haven't yet tried the identification tools your "first steps" page recommends because: https://www.virustotal.com/: I don't confidently know a safe way of re-acquiring the "suspicious files" from the email attachment to my hard drive https://id-ransomware.malwarehunterteam.com/ : The ransom note they need has already been formatted away from the affected workstation I very much appreciate any help you can offer. I look forward to supporting you in any way I can. Best Regards, Paul
  • Create New...