Fabian Wosar

Emsisoft Employee
  • Content Count

    4403
  • Joined

  • Days Won

    1

Everything posted by Fabian Wosar

  1. You can try this decrypter: http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip Kaspersky got their hands on some of the keys for Cry36/Nemesis. So that may work. Make sure the version is 1.21.2.0 or later.
  2. You can try the newer version: http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip Kaspersky got their hands on some of the keys for Cry36/Nemesis. So that may work. Make sure the version is 1.21.2.0 or later.
  3. Can you please provide the file pair you try to use? It would also be helpful if you still have the ransomware that infected your system.
  4. You got attacked by two different variants. The issue with that is, that you will have to run the decrypter twice. Once with the proper settings to remove the "[email protected]" layer and then to remove the "[email protected]" layer. The problem is finding the two different keys. You will have to find 2 file pairs where only one of the two extensions was appended. Then generate the decryption key based on those two individual file pairs and use them one after another.
  5. Can you please upload the ransom note and one encrypted file to https://id-ransomware.malwarehunterteam.com and post the result link here? Thanks.
  6. Can you please upload the ransom note and one encrypted file to https://id-ransomware.malwarehunterteam.com and post the result link here? Thanks.
  7. You will have to wait. Each file has a different key unfortunately, so we have to find a new key for each file.
  8. None of these dumps show any of our code being active and involved at the time of the crash. Can you exclude your Office folder (C:\Program Files (x86)\Microsoft Office\root\Office16\) from monitoring under Settings/Exclusions? If the problem persists with such an exclusion in place, the problem is definitely not Emsisoft Anti-Malware, but something else that is wrong with your Office installation. In that case, I would suggest contacting the Microsoft support to figure out what exactly causes the problem. The original problem only affected the 64-bit version running on a 64-bit system. So you wouldn't have been affected by the original issue anyway as you are running the 32-bit version of Office.
  9. Just click the Emsisoft on the top left. You can also display the version number permanently in the overview. Just hover over the "Renew for free" in the "License" block. An X should appear right to the link. Click it. That will remove the link and displays the version number instead.
  10. Can you please upload an encrypted file plus the ransom note at https://id-ransomware.malwarehunterteam.com and post the result link here? Thanks
  11. The Excel crash isn't caused by EAM either. The crash occurs inside Direct2D which is essentially the DirectX acceleration layer for font and image rendering. That is also probably why the crash disappears when you disable hardware acceleration, which disables the usage of DirectX. You may want to update your graphics card driver and see if the problem still occurs. Having an excessive amount of font files or corrupted fonts installed can cause issues as well. So checking your installed fonts may be a good idea.
  12. It's rather unlikely that there will be a change anytime soon unless the C2 server is seized or the keys get released somehow.
  13. @Teutonia, that is Cry36. No fix for that as of yet.
  14. We know both how to encrypt and decrypt. They use standard AES-256 and RC4. What most people don't understand, you included, is that for modern encryption it is irrelevant whether you know how a file is encrypted or decrypted. Quite frankly, any encryption algorithm worth anything will have been thoroughly analysed, scrutinised and discussed publicly, often for years, before they are used in production. They are designed in a way so that without the key the algorithm and the knowledge what the ransomware does with the key and the data isn't worth anything. What these companies do is pay the ransomware authors to get the keys, then sell you those keys with a markup. Nothing else. Openly sharing findings and results just leads to ransomware authors fixing the underlying flaws.
  15. That seems to be the very same dump file as before. Are you sure you uploaded a different dump? Same breakpoint in the same location (DWrite.dll, which is used for hardware accelerated graphics and font rendering).
  16. Not for the on-demand scan, no. We do whitelist files temporarily in the real-time protection. That isn't a persistent whitelist though. It means that every file is only scanned once by the File Guard with every given version of the signature database. On signature update, the cache gets flushed and again every given file is scanned only once again.
  17. Sure, feel free to submit one or two of those files.
  18. The files appear to be encrypted by BTCamant, which is the successor of Radamant. At the moment it is not decryptable. You can either backup your files and wait for a solution, or pay the criminals (we do not recommend this) currently. Since this particular ransomware usually enters a system via RDP, please change all your passwords on that system, check for accounts that don't belong to you and make sure to either disable RDP or at least properly secure it.
  19. Can you please upload the ransom note as well as one encrypted file to https://id-ransomware.malwarehunterteam.com and post the results link here? Thanks
  20. We know everything there is to know about the format and how these keys are created. It is because we know exactly how those keys are generated and used that we know we can't do anything at least for the time being. While an attack is still possible, it simply would take too long to be feasible (we are talking many years here).
  21. Same as here: Closed to keep things in one place.