Kevin Zoll

Emsisoft Employee
  • Content Count

    18810
  • Joined

  • Last visited

  • Days Won

    177

Posts posted by Kevin Zoll


  1. Hello @shyam punjabi,

     

    Welcome to the Emsisoft Support Forums.

    NOSU is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the NOSU variant of STOP/DJVU.

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  2. Hello @Ricardo Landivar,

     

    Thank you for contacting Emsisoft Support.

    NPSG is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the NPSG variant of STOP/DJVU.

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  3. Thread Closed

     

    Reason: Resolved

     

    PM either Kevin, or Arthur to have this thread reopened.

     

    The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

     

    All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread


  4. Thread Closed

     

    Reason: Resolved

     

    PM either Kevin, or Arthur to have this thread reopened.

     

    The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.

     

    All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread


  5. Hello @GENILDO

    Thank you for contacting Emsisoft Support.

    KODC is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the KODC variant of STOP/DJVU.

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  6. Quote

     

    Hi Kevin,
     
    Thank you for your support.  I have cleared the cache in Firefox for both the adminstrator user and the restricted user.    I have also used my laptop today and I am not aware of anything strange going on.
     
    However, I have tried to delete the trojans which are stored in Emsisoft's Quarantine, but the DELETE and RESTORE buttons are greyed out and I can't find a way to get them to become responsive.  I have also looked at trying out the Network lockdown switch, but again if I hover over the OFF switch the cursor doesn't change shape into a hand and it won't switch on by clicking on it.  In fact apart from the SCAN facility virtually every button/switch on the Emsisoft Dashboard whether ON or OFF or Greyed out won't work.  Is this to prevent customers tampering with the selections or is there a problem?
     
    Kind Regards
     
    Ian

     

    Ian,

    Please do not respond to the email notification as it not connected with our forum software and we normally will not see your reply.  Emsisoft is mostly likely locked down with a password and has restrictions preventing someone without permissions from altering settings and deleting stuff that they are not allowed to delete.  Unless, you know the admin password to EAM or running it from and admin account they you will not have access to those options.


  7. @Amr Zizo

    The personal ID in the ransom note is an Online ID which means that your files cannot be decrypted using that ID.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the NOSU variant of STOP/DJVU.

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  8. KODC is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Despite that, I would like for you to run the STOP/DJVU decryption tool anyway.  That will accomplish a couple of things.  First, it will deactivate and remove any malware that was installed by the ransomware.  This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup.  Second, the decryption tool will determine the ID of the encrypted files.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

     


    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the KODC variant of STOP/DJVU.

    Any hacker telling you they can decrypt your files is either lying or they are the ones who encrypted your files in the first place.  This variant makes use of the RSA encryption algorithm.  If implemented correctly and it is a least 1024-bit encryption it is unbreakable using today's technology.  Theoretically RSA-1024 is breakable, but none of us will still be alive when it is successfully broken.

    To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu

     

    Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.


  9. @Joker(Whysoserious?)

    TOPI is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the TOPI variant of STOP/DJVU.


  10. Hello @iantot,

     

    Thank you for contacting Emsisoft Support.

     

    8 hours ago, iantot said:

    No key for new variant online id 0dJyaOI3Y3g08AdTexGrHx33A64BOGsGMoRuXim6, Notice: this ID appears to be an online ID, decryption is impossible

    That is not an error.  Our decryption tool was unable to find a decryption key for that ID.  Files encrypted with an Online ID means that the file(s) were encrypted with an encryption that was generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.  We do not have access to those encryption keys and therefore they are not in our database of encryption keys.


  11. @Reggia99

    There are a few different IDs in that log, both online and offline.  The ones with an Offline ID may be able to be decrypted in the future, we just do not have a decryption key for that ID in our database at this time.  The files with Online Ids there is nothing that can be done at this time.  Run the decrypter every couple of weeks are so, in the event that we have added the Offline key in your log to our database.


  12. The file is most likely a JavaScript that was downloaded to the browser cache when FireFox loaded it and try to run it,  Probably an attempt to compromise your system when you opened the email attachment.  I didn't see any malware in the FRST logs, but there was a lot of orphaned stuff and policy restrictions that are not set by default.  Which is what I had FRST fix.


  13. Hello @SalasKafa

    Thank you for contacting Emsisoft Support.

    TOPI is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool.  Any ID ending in t1 is an Offline ID anything else is an Online ID.  This is important as it tells us how the encryption key was generated.  There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection.  An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file.  An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.

    Why is this important?  The ID of the file(s) is how private encryption keys are identified.  If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s).  However, this is all contingent on us having a matching private encryption key in our database.  The downside of all this is that we are not currently in possession of private encryption keys for the TOPI variant of STOP/DJVU.

    • Thanks 1
    • Upvote 1