Kevin Zoll

Emsisoft Employee
  • Content Count

    18779
  • Joined

  • Last visited

  • Days Won

    177

Everything posted by Kevin Zoll

  1. Thread Closed Reason: Resolved PM either Kevin, or Arthur to have this thread reopened. The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist. All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
  2. Hello @sulaiman, Welcome to the Emsisoft Support Forums. The ID in the ransom note is an Online ID. Meaning that our tool more than likely cannot decrypt your files. However, you files could have more different IDs. Please run our decryption anyway. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu
  3. Hello @GENILDO, Thank you for contacting Emsisoft Support. KODC is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the KODC variant of STOP/DJVU. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  4. Yes, go ahead and scan them and if there is something there or the computer gets infected, I will help you clean it up.
  5. @igor71 If the Kaspersky tool linked to in this article is unable to decrypt your files, then it is not possible to decrypt them. https://www.bleepingcomputer.com/news/security/free-decryption-tool-released-for-cryakl-ransomware/
  6. Yes, you should connect the external hard drive and scan it with EEK. Whenever connecting an external drive that is suspected of being infected you also run the risk of reinfecting your system.
  7. @test Your IDs are Online IDs and cannot be decrypter using our tool. @shiva Only the criminals have the private decryption keys for online Ids, we do not have access to those.
  8. You are welcome. Happy to be of assistance. Is there anything else I can help you with?
  9. You are welcome. Happy to be of assistance. Is there anything else I can help you with?
  10. Hello @ROSARIO, Welcome to the Emsisoft Support Forums. Your logs show no malware. Unless we are alerting on the Mozilla Firefox uninstaller, this is an issue that should be taken up with Mozilla.
  11. Ian, Please do not respond to the email notification as it not connected with our forum software and we normally will not see your reply. Emsisoft is mostly likely locked down with a password and has restrictions preventing someone without permissions from altering settings and deleting stuff that they are not allowed to delete. Unless, you know the admin password to EAM or running it from and admin account they you will not have access to those options.
  12. @Amr Zizo The personal ID in the ransom note is an Online ID which means that your files cannot be decrypted using that ID. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the NOSU variant of STOP/DJVU. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  13. KODC is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the KODC variant of STOP/DJVU. Any hacker telling you they can decrypt your files is either lying or they are the ones who encrypted your files in the first place. This variant makes use of the RSA encryption algorithm. If implemented correctly and it is a least 1024-bit encryption it is unbreakable using today's technology. Theoretically RSA-1024 is breakable, but none of us will still be alive when it is successfully broken. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  14. @Joker(Whysoserious?) TOPI is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the TOPI variant of STOP/DJVU.
  15. Hello @iantot, Thank you for contacting Emsisoft Support. That is not an error. Our decryption tool was unable to find a decryption key for that ID. Files encrypted with an Online ID means that the file(s) were encrypted with an encryption that was generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those encryption keys and therefore they are not in our database of encryption keys.
  16. @Reggia99 There are a few different IDs in that log, both online and offline. The ones with an Offline ID may be able to be decrypted in the future, we just do not have a decryption key for that ID in our database at this time. The files with Online Ids there is nothing that can be done at this time. Run the decrypter every couple of weeks are so, in the event that we have added the Offline key in your log to our database.
  17. The file is most likely a JavaScript that was downloaded to the browser cache when FireFox loaded it and try to run it, Probably an attempt to compromise your system when you opened the email attachment. I didn't see any malware in the FRST logs, but there was a lot of orphaned stuff and policy restrictions that are not set by default. Which is what I had FRST fix.
  18. Hello @SalasKafa, Thank you for contacting Emsisoft Support. TOPI is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the TOPI variant of STOP/DJVU.
  19. @Reggia99, the STOP log show that IDM is managing the STOP Decrypters connection to our servers. I would like for you to run another tool. Download AdwCleaner and save it on your Desktop. Close all open programs and Internet browsers (you may want to print out or write down these instructions first). Double click on adwcleaner.exe to run the tool. Click on the Scan button. After the scan has finished, click on the Clean button. Confirm each time with OK. You will be prompted to restart your computer. A text file will open in Notepad after the restart (this is the log of what was removed), which you can save on your Desktop. Attach that log file to your reply. NOTE: If you lose that log file for any reason, you can find it at C:\AdwCleaner on your computer.
  20. Hello @Obi, Welcome to the Emsisoft Support Forums. Hello #{ticket.customer.firstname}, Thank you for contacting Emsisoft Support. REHA is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files. Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the REHA variant of STOP/DJVU. To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
  21. Hello @dfarn26, Thank you for contacting Emsisoft Support. This is very likely DHARMA(CrySiS). Unfortunately, there is no way to decrypt your files using third-party tools.
  22. That variant is newer as well and not supported by our decryption tool. This advice applies to .topi and well.
  23. Uninstall Internet Download Manager. You are using a cracked version anyway and some of its files have been encrypted.
  24. That is an Online Key. The decryption key for that ID is in the possession of the cyber-criminal responsible for encrypting your files. It is not possible to decrypt your files using third-party decryption tools.