-
Content Count
18839 -
Joined
-
Last visited
-
Days Won
178
Posts posted by Kevin Zoll
-
-
Hello @AllMyPhoto,
Welcome to the Emsisoft Support Forums.
Your Personal ID is an Online ID. Our tool cannot decrypt the files because it cannot find a private key that matches the file ID for your files. Encryption keys for Online ID are generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those keys, only the criminals do.
-
Can you send me the log report from the decrypter? I will get the developer to take a look.
-
@Mr.Mad95154 adding IDs is not that simple. First we have to be in possession of the matching decryption key. If it is an Online ID, only the criminals have the corresponding decryption key and we do not have access to those. As far as Offline IDs are concerned those get added when someone graciously supplies with a decryption key matching an Offline ID.
-
Let's make sure of what we're dealing with.
Please visit the following website and upload both an encrypted file (between 256KB and 2MB in size would be best) and a ransom note simultaneously for proper identification, and send me the information it provides:
https://www.emsisoft.com/ransomware-decryption-tools/
Please be sure to read the information link on the results page, as to whether we have a decrypter or not, sometimes someone else's decrypter is listed, or other information is available that might be useful for recovery.
You might try using undelete software such as Recuva from Piriform, or if your files are very important, it may be worth talking to a company that specializes in negotiating with the criminals that created the ransomware, such as Coveware, at https://www.coveware.com/. They are one of the few companies that do this completely transparently and honestly.
If the identification process shows ransomware that is not decryptable, there is nothing else we can do. We do not recommend paying the ransom unless there is absolutely no other choice.
-
There was an issue with reading the settings INI properly with EAM. Version 2020.2 addressed that bug. However, it did not reset the "Start on Windows Startup" value. This required a hotfix that was pushed a few hours ago that specifically addresses the startup bug. That required EAM services to be restarted. Once everything restarted properly EAM's status was properly detected and shows green.
-
I responded to your HelpDesk ticket.
-
Sometimes, we do not see the service interruption or it could be taking too long to respond . Error 403 is an HTTP Response code for connection is refused as forbidden. No idea why that happened.
-
3 hours ago, jrozasv said:
How can i donate to you??! What can i buy from you in order to keep my PC safe?
We do not accept donations for our work. If you wish to purchase Emsisoft Anti-Malware a link is in my signature.
3 hours ago, jrozasv said:@Kevin Zoll can i run 2 instances of the decryptor?
You can run the decrypter as many times as needed. However, if there is no key for the files it will not be able to decrypt those files.
-
@Vicky Run our decryption tool again we added several offline keys over the past few days. Might get lucky and one might be a match.
-
-
@SalasKafa If connection is lost for any reason then that could trigger the error yo got.
-
Hello @btosinfected2020,
Welcome to the Emsisoft Support Forums.
What is the ID that our decryption tool identified? If it is an Online ID then we are not able of decrypt the files as we are not in possession of online encryption keys.
-
As stated in my original post this variant is not supported by our decryption tool. I had you run the tool for the sole purpose of deactivating and removing any malware installed by STOP/DJVU.
-
It's always possible. We added two offline keys over the weekend. It really depends on whether our not we are given the key by someone who has paid the ransom.
-
Hello @m2413,
Welcome to the Emsisoft Support Forums.
Though those are offline IDs our decryption tool cannot decrypt your files as we are not in possession of the decryption key that matches your offline ID.
-
Hello @Shiladitya Dey,
Welcome to the Emsisoft Support Forums.
The ID you supplied is an online ID, meaning that the files cannot be decrypted. An online ID means that your encryption key was generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.
There is more information available at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
-
Hello Jay92,
Welcome to the Emsisoft Support Forums.
An online ID means that your encryption key was generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files.
There is more information available at the following link: https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/
-
Hello @jrozasv,
Welcome to the Emsisoft Support Forums.
Though those are offline IDs our decryption tool cannot decrypt your files as we are not in possession of the decryption key that matches your offline ID.
-
Hello @TASSIN,
Welcome to the Emsisoft Support Forums.
The copy of Emsisoft Emergency Kit you are using is old and outdated. Please download and use the newest version of Emsisoft Emergency Kit. You can download it from
-
Hello @mohammadali_149,
Thank you for contacting Emsisoft Support.
KODC is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.
Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the KODC variant of STOP/DJVU.To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu
Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
-
1
-
-
I'm not seeing anything malicious in the FRST reports. There is some minor issues that should be addressed.
Copy the below code to Notepad; Save As fixlist.txt to your Desktop.
S2 MBAMInstallerService; C:\Users\Vicky\AppData\Local\Temp\MBAMInstallerService.exe [5224144 2020-01-27] (Malwarebytes Inc -> Malwarebytes) <==== ATTENTION
S1 fsuntrqk; \??\C:\WINDOWS\system32\drivers\fsuntrqk.sys [X]
ShellIconOverlayIdentifiers: [00asw] -> {472083B0-C522-11CF-8763-00608CC02F24} => -> No File
ContextMenuHandlers5: [igfxcui] -> {3AB1675A-CCFF-11D2-8B20-00A0C93CB1F4} => -> No File
FirewallRules: [{8120D0A3-B879-423E-B34F-66DC6B1BC843}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{2DA15E6F-F9D4-4B7A-85C1-44DC6ECCD30F}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{9B1D43E2-39DC-4B82-A8F1-AC624CAA7B76}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{7E56B557-EA3F-4193-91CB-09157A4901F0}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{B74FF42E-CD71-4EC6-BB77-40F98B5A61DD}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{56BE0716-43C7-4CB4-A2F6-071DEA731021}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{ACAE2957-F8DB-435B-B108-FA186577F60D}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No File
FirewallRules: [{A62D2840-6868-4A4F-BA28-6E7029002D4C}] => (Allow) C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.120.510.0_x86__zpdnekdrzrea0\Spotify.exe No FileClose Notepad.
NOTE: It's important that both files, FRST, and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system
IMPORTANT: Save all of your work, as the next step may reboot your computer.
Run FRST and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Attach it to your reply.
NOTE: If the tool warns you about an outdated version please download and run the updated version.
Also, let me know how the machine is running now, and what remaining issues you've noticed.
-
@Able if our decryption tool is unable to determine the decryption key for your files, then it is not possible to decrypt the files.
-
If our decryption tool is unable to determine the decryption key(s) for your files, then they cannot be decrypted.
-
@Amah benedict All the IDs in your post are Online IDs and as such our decryption tool cannot decrypt your files.
HELP PLEASE Emsisoft Decryptor .MOST
in Help, my files are encrypted!
Posted
@MIULER
MOSK is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.
Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the MOSK variant of STOP/DJVU.
NOTE: We have added Offline IDs for newer variants of the STOP/DJVU family of ransomware. If the files were encrypted with an Offline ID that matches the ones in our database, then our decryption tool will be able to decrypt those files.
To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu
Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.