Kevin Zoll

Emsisoft Employee
  • Content Count

    18822
  • Joined

  • Last visited

  • Days Won

    177

Everything posted by Kevin Zoll

  1. Hello @Gustavo Guerrero, Welcome to the Emsisoft Support Forums. Upload file pairs to https://decrypter.emsisoft.com/submit/stopdjvu/
  2. Hello @ahsan, Welcome to the Emsisoft Support Forums. Upload file pairs to: https://decrypter.emsisoft.com/submit/stopdjvu/
  3. Hello @Veer, Thank you for contacting Emsisoft Support. TOPI is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the TOPI variant of STOP/DJVU. NOTE: We have added Offline IDs for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches the ones in our database, then our decryption tool will be able to decrypt those files. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  4. If you are getting a message that states the files cannot be decrypted, then they cannot be decrypted. Any file encrypted with an Online ID means that the encryption keys were generated and store on a command & control server under the control of the ransomware gang responsible for encrypting your files. Only the criminals have access to those keys. @Mr.Mad95154 I don't believe we have a decryption key matching that Offline ID. I suggest running the tool once a week on the chance that we have added the key for that ID.
  5. Hello @Rajitha, Welcome to the Emsisoft Support Forums. We currently are not in possession of a decryption key for that Offline ID. Therefore our decryption tool is incapable of decrypting files matching that ID.
  6. @minhas The decrypter is a standalone .NET executable file, it is not installed. If the tool will not run, make sure that the latest .NET Framework is installed for your version of Windows. All our decryption tool require that .NET Framework version 4.5.2 be installed at a minimum.
  7. If you mean Windows Smart Screen then you must tell it that FRST is not malicious. You click on more info and then allow it. If you mean you browser is blocking it then tell the browser to allow it. If you are referring to EEK detecting it that is a false positive. I need the reports from FRST as EEK shows nothing other than FRST.
  8. Hello @Sammar Abbass, Thank you for contacting Emsisoft Support. REPP is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the REPP variant of STOP/DJVU. NOTE: We have added Offline IDs for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches the ones in our database, then our decryption tool will be able to decrypt those files. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  9. The scan came back clean. Everything should be fine.
  10. That key is only for a specific ID. Until he runs the decrypter we have no idea if the files are decryptable or not. My reply also says that we have added offline keys over the past few days.
  11. @MIULER MOSK is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the MOSK variant of STOP/DJVU. NOTE: We have added Offline IDs for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches the ones in our database, then our decryption tool will be able to decrypt those files. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  12. Hello @AllMyPhoto, Welcome to the Emsisoft Support Forums. Your Personal ID is an Online ID. Our tool cannot decrypt the files because it cannot find a private key that matches the file ID for your files. Encryption keys for Online ID are generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys, only the criminals do.
  13. Can you send me the log report from the decrypter? I will get the developer to take a look.
  14. @Mr.Mad95154 adding IDs is not that simple. First we have to be in possession of the matching decryption key. If it is an Online ID, only the criminals have the corresponding decryption key and we do not have access to those. As far as Offline IDs are concerned those get added when someone graciously supplies with a decryption key matching an Offline ID.
  15. Let's make sure of what we're dealing with. Please visit the following website and upload both an encrypted file (between 256KB and 2MB in size would be best) and a ransom note simultaneously for proper identification, and send me the information it provides: https://www.emsisoft.com/ransomware-decryption-tools/ Please be sure to read the information link on the results page, as to whether we have a decrypter or not, sometimes someone else's decrypter is listed, or other information is available that might be useful for recovery. You might try using undelete software such as Recuva from Piriform, or if your files are very important, it may be worth talking to a company that specializes in negotiating with the criminals that created the ransomware, such as Coveware, at https://www.coveware.com/. They are one of the few companies that do this completely transparently and honestly. If the identification process shows ransomware that is not decryptable, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice.
  16. There was an issue with reading the settings INI properly with EAM. Version 2020.2 addressed that bug. However, it did not reset the "Start on Windows Startup" value. This required a hotfix that was pushed a few hours ago that specifically addresses the startup bug. That required EAM services to be restarted. Once everything restarted properly EAM's status was properly detected and shows green.
  17. Sometimes, we do not see the service interruption or it could be taking too long to respond . Error 403 is an HTTP Response code for connection is refused as forbidden. No idea why that happened.
  18. We do not accept donations for our work. If you wish to purchase Emsisoft Anti-Malware a link is in my signature. You can run the decrypter as many times as needed. However, if there is no key for the files it will not be able to decrypt those files.
  19. @Vicky Run our decryption tool again we added several offline keys over the past few days. Might get lucky and one might be a match.
  20. @guri @jrozasv We recently added offline keys for ALKA and REPP. Run the STOPdjvu decrypter again.
  21. @SalasKafa If connection is lost for any reason then that could trigger the error yo got.
  22. Hello @btosinfected2020, Welcome to the Emsisoft Support Forums. What is the ID that our decryption tool identified? If it is an Online ID then we are not able of decrypt the files as we are not in possession of online encryption keys.
  23. As stated in my original post this variant is not supported by our decryption tool. I had you run the tool for the sole purpose of deactivating and removing any malware installed by STOP/DJVU.
  24. It's always possible. We added two offline keys over the weekend. It really depends on whether our not we are given the key by someone who has paid the ransom.