Kevin Zoll
-
Content Count
18810 -
Joined
-
Last visited
-
Days Won
177
Posts posted by Kevin Zoll
-
-
-
Hello @Ricardo Landivar,
Thank you for contacting Emsisoft Support.
NPSG is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.
Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the NPSG variant of STOP/DJVU.
To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu
Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
-
Let's take a fresh look.
Run fresh scan FRST, attach the new FRST scans to your reply.
Be sure to let me know how things are running.
-
@Rohith It's the same answer for offline IDs. Until such time that we get a encryption key matching the offline ID for your files they will remain undecryptable.
-
Thread Closed
Reason: Resolved
PM either Kevin, or Arthur to have this thread reopened.
The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.
All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
-
Thread Closed
Reason: Resolved
PM either Kevin, or Arthur to have this thread reopened.
The procedures contained in this thread are for this user and this user only. Attempting to use the instructions in this thread on a system, other than the one they were written for, could result in damaging the Operating System beyond repair. Do Not use any of the tools mentioned in this thread without the supervision of a Malware Removal Specialist.
All posters requesting Malware Removal assistance are required to follow all procedures in the thread titled START HERE if you don't we are just going to send you back to this thread
-
Hello @sulaiman,
Welcome to the Emsisoft Support Forums.
The ID in the ransom note is an Online ID. Meaning that our tool more than likely cannot decrypt your files. However, you files could have more different IDs. Please run our decryption anyway.
To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu
-
Hello @GENILDO,
Thank you for contacting Emsisoft Support.
KODC is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.
Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the KODC variant of STOP/DJVU.To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu
Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
-
Yes, go ahead and scan them and if there is something there or the computer gets infected, I will help you clean it up.
-
If the Kaspersky tool linked to in this article is unable to decrypt your files, then it is not possible to decrypt them.
https://www.bleepingcomputer.com/news/security/free-decryption-tool-released-for-cryakl-ransomware/
-
Yes, you should connect the external hard drive and scan it with EEK. Whenever connecting an external drive that is suspected of being infected you also run the risk of reinfecting your system.
-
-
You are welcome.
Happy to be of assistance. Is there anything else I can help you with?
-
You are welcome.
Happy to be of assistance. Is there anything else I can help you with?
-
Hello @ROSARIO,
Welcome to the Emsisoft Support Forums.
Your logs show no malware. Unless we are alerting on the Mozilla Firefox uninstaller, this is an issue that should be taken up with Mozilla.
-
QuoteHi Kevin,Thank you for your support. I have cleared the cache in Firefox for both the adminstrator user and the restricted user. I have also used my laptop today and I am not aware of anything strange going on.However, I have tried to delete the trojans which are stored in Emsisoft's Quarantine, but the DELETE and RESTORE buttons are greyed out and I can't find a way to get them to become responsive. I have also looked at trying out the Network lockdown switch, but again if I hover over the OFF switch the cursor doesn't change shape into a hand and it won't switch on by clicking on it. In fact apart from the SCAN facility virtually every button/switch on the Emsisoft Dashboard whether ON or OFF or Greyed out won't work. Is this to prevent customers tampering with the selections or is there a problem?Kind RegardsIanIan,
Please do not respond to the email notification as it not connected with our forum software and we normally will not see your reply. Emsisoft is mostly likely locked down with a password and has restrictions preventing someone without permissions from altering settings and deleting stuff that they are not allowed to delete. Unless, you know the admin password to EAM or running it from and admin account they you will not have access to those options.
-
The personal ID in the ransom note is an Online ID which means that your files cannot be decrypted using that ID. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.
Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the NOSU variant of STOP/DJVU.To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu
Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
-
KODC is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.
Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the KODC variant of STOP/DJVU.Any hacker telling you they can decrypt your files is either lying or they are the ones who encrypted your files in the first place. This variant makes use of the RSA encryption algorithm. If implemented correctly and it is a least 1024-bit encryption it is unbreakable using today's technology. Theoretically RSA-1024 is breakable, but none of us will still be alive when it is successfully broken.
To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu
Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.
-
-
@Joker(Whysoserious?)
TOPI is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.
Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the TOPI variant of STOP/DJVU. -
Hello @iantot,
Thank you for contacting Emsisoft Support.
8 hours ago, iantot said:No key for new variant online id 0dJyaOI3Y3g08AdTexGrHx33A64BOGsGMoRuXim6, Notice: this ID appears to be an online ID, decryption is impossible
That is not an error. Our decryption tool was unable to find a decryption key for that ID. Files encrypted with an Online ID means that the file(s) were encrypted with an encryption that was generated and stored on a command & control server under the control of the ransomware gang responsible for encrypting your files. We do not have access to those encryption keys and therefore they are not in our database of encryption keys.
-
There are a few different IDs in that log, both online and offline. The ones with an Offline ID may be able to be decrypted in the future, we just do not have a decryption key for that ID in our database at this time. The files with Online Ids there is nothing that can be done at this time. Run the decrypter every couple of weeks are so, in the event that we have added the Offline key in your log to our database.
-
The file is most likely a JavaScript that was downloaded to the browser cache when FireFox loaded it and try to run it, Probably an attempt to compromise your system when you opened the email attachment. I didn't see any malware in the FRST logs, but there was a lot of orphaned stuff and policy restrictions that are not set by default. Which is what I had FRST fix.
-
Hello @SalasKafa,
Thank you for contacting Emsisoft Support.
TOPI is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.
Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the TOPI variant of STOP/DJVU.-
1
-
1
-
Decrypt Any Ransomware Encrypted Data Files
in Help, my files are encrypted!
Posted · Report reply
Hello @shyam punjabi,
Welcome to the Emsisoft Support Forums.
NOSU is a newer variant of the STOP/DJVU family of ransomware and is not supported by our decryption tool. Despite that, I would like for you to run the STOP/DJVU decryption tool anyway. That will accomplish a couple of things. First, it will deactivate and remove any malware that was installed by the ransomware. This will prevent new files from being encrypted and will prevent re-encryption if files are restored from a backup. Second, the decryption tool will determine the ID of the encrypted files. Any ID ending in t1 is an Offline ID anything else is an Online ID. This is important as it tells us how the encryption key was generated. There may be multiple Ids, especially if communication between the target system and the command & control server is interrupted for any reason, or because the file encryption was done in stages to avoid detection. An Offline ID means that the encryption key pair was generated locally and the encryption key is encoded in a file. An Online ID means the encryption key pair was generated and stored on a remote command & control server under the control of the ransomware gang responsible for encrypting your files.
Why is this important? The ID of the file(s) is how private encryption keys are identified. If we have a private encryption key matching the ID for a file(s) then that can be used to decrypt the file(s). However, this is all contingent on us having a matching private encryption key in our database. The downside of all this is that we are not currently in possession of private encryption keys for the NOSU variant of STOP/DJVU.
To Download the STOP/DJVU decryption tool visit https://www.emsisoft.com/ransomware-decryption-tools/stop-djvu
Also, see https://support.emsisoft.com/topic/32045-about-the-stopdjvu-decrypter/ for more information on the STOP/DJVU decryption tool.