Kevin Zoll

Emsisoft Employee
  • Content Count

    18810
  • Joined

  • Last visited

  • Days Won

    177

Posts posted by Kevin Zoll


  1. @MIULER

    MOSK is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the MOSK variant of STOP/DJVU.

    NOTE:  We have added Offline IDs for newer variants of the STOP/DJVU family of ransomware.  If the files were encrypted with an Offline ID that matches the ones in our database, then our decryption tool will be able to decrypt those files.

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  2. Hello @AllMyPhoto,

     

    Welcome to the Emsisoft Support Forums.

     

    Your Personal ID is an Online ID.  Our tool cannot decrypt the files because it cannot find a private key that matches the file ID for your files.  Encryption keys for Online ID are generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those keys, only the criminals do.


  3. @Mr.Mad95154 adding IDs is not that simple.  First we have to be in possession of the matching decryption key.  If it is an Online ID, only the criminals have the corresponding decryption key and we do not have access to those.  As far as Offline IDs are concerned those get added when someone graciously supplies with a decryption key matching an Offline ID.


  4. Let's make sure of what we're dealing with.

     

    Please visit the following website and upload both an encrypted file (between 256KB and 2MB in size would be best) and a ransom note simultaneously for proper identification, and send me the information it provides:

     

    https://www.emsisoft.com/ransomware-decryption-tools/

     

    Please be sure to read the information link on the results page, as to whether we have a decrypter or not, sometimes someone else's decrypter is listed, or other information is available that might be useful for recovery.

     

    You might try using undelete software such as Recuva from Piriform, or if your files are very important, it may be worth talking to a company that specializes in negotiating with the criminals that created the ransomware, such as Coveware, at https://www.coveware.com/. They are one of the few companies that do this completely transparently and honestly.

     

    If the identification process shows ransomware that is not decryptable, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice.


  5. There was an issue with reading the settings INI properly with EAM. Version 2020.2 addressed that bug.  However, it did not reset the "Start on Windows Startup" value.  This required a hotfix that was pushed a few hours ago that specifically addresses the startup bug.  That required EAM services to be restarted.  Once everything restarted properly EAM's status was properly detected and shows green.


  6. 3 hours ago, jrozasv said:

    How can i donate to you??! What can i buy from you in order to keep my PC safe?

    We do not accept donations for our work.  If you wish to purchase Emsisoft Anti-Malware a link is in my signature.

    3 hours ago, jrozasv said:

    @Kevin Zoll can i run 2 instances of the decryptor?

    You can run the decrypter as many times as needed.  However, if there is no key for the files it will not be able to decrypt those files.


  7. Hello @Shiladitya Dey,

     

    Welcome to the Emsisoft Support Forums.

    The ID you supplied is an online ID, meaning that the files cannot be decrypted.  An online ID means that your encryption key was generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.

    There is more information available at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/


  8. Hello @mohammadali_149

    Thank you for contacting Emsisoft Support.

    KODC is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the KODC variant of STOP/DJVU.

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.

    • Like 1

  9. @Vicky

    I'm not seeing anything malicious in the FRST reports.  There is some minor issues that should be addressed.

     

    Copy the below code to NotepadSave As fixlist.txt to your Desktop.

     

    S2 MBAMInstallerService; C:\Users\Vicky\AppData\Local\Temp\MBAMInstallerService.exe [5224144 2020-01-27] (Malwarebytes Inc -> Malwarebytes) <==== ATTENTION
    S1 fsuntrqk; \??\C:\WINDOWS\system32\drivers\fsuntrqk.sys [X]
    ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} =>  -> No File
    ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} =>  -> No File
    FirewallRules: [{8120D0A3-B879-423E-B34F-66DC6B1BC843}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
    FirewallRules: [{2DA15E6F-F9D4-4B7A-85C1-44DC6ECCD30F}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
    FirewallRules: [{9B1D43E2-39DC-4B82-A8F1-AC624CAA7B76}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
    FirewallRules: [{7E56B557-EA3F-4193-91CB-09157A4901F0}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
    FirewallRules: [{B74FF42E-CD71-4EC6-BB77-40F98B5A61DD}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
    FirewallRules: [{56BE0716-43C7-4CB4-A2F6-071DEA731021}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
    FirewallRules: [{ACAE2957-F8DB-435B-B108-FA186577F60D}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
    FirewallRules: [{A62D2840-6868-4A4F-BA28-6E7029002D4C}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File

     

    Close Notepad.

     

    NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.

     

    NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

     

    IMPORTANT: Save all of your work, as the next step may reboot your computer.

     

    Run FRST and press the Fix button just once and wait.

     

    If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.

     

    The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.

     

    NOTE: If the tool warns you about an outdated version please download and run the updated version.

     

    Also, let me know how the machine is running now, and what remaining issues you've noticed.