Fabian Wosar

Emsisoft Employee
  • Content count

    4886
  • Joined

  • Last visited

  • Days Won

    154

Fabian Wosar last won the day on June 22

Fabian Wosar had the most liked content!

Community Reputation

413 Excellent

6 Followers

About Fabian Wosar

  • Rank
    Forum Veteran

Contact Methods

  • Website URL
    http://www.emsisoft.com
  • Skype
    fwosar

Profile Information

  • Gender
    Male

Recent Profile Visitors

47225 profile views
  1. Ja, das ist normal. Wie ich bereits erklaert habe. Das letzte Update erweitert einige der Behaviour Blocking Features auf alle Prozesse, inklusive System Services. Entsprechend ist eine Vermehrung der Event Log Eintraege normal.
  2. Those files aren't encrypted by Nemucod. That is why the Nemucod decrypter doesn't work. Can you please upload one encrypted file and the ransom note from your system to https://id-ransomware.malwarehunterteam.com and post the result link here? Thanks.
  3. I released a new version of the decrypter. It now checks for the presence of BOM as well as whether or not the first 28 bytes are all <= 127 in an attempt to detect text based formats.
  4. Why would we want to get tested in an anti-exploit test if we don't offer or advertise anti-exploit features? If they used live real world malware for their tests, we wouldn't have minded. But in general, we don't see a point in participating in tests that use custom-made malware. That's one of the reasons we dropped out of MRG as well. There is enough bad stuff out there already. There is no point in artificially adding to the pile.
  5. Different BB versions. The scope of which processes the BB monitors changes from release to release.
  6. Thanks, hairygeek. The only difference I can see between our setups and yours is that you use 365 instead of the retail version, which is based on some virtualisation solution. So the File Guard interfering would actually make sense, even though the crash is still not in our code, but triggered probably because the scan introduces some delays.
  7. I will see if I can do something for you tomorrow. For Unicode text files (C#) I may be able to identify the BOM.
  8. Text-based formats lack unique identifiers within their first 16 bytes to uniquely identify them as such. Therefore, the decrypter can't process them properly without file name encryption being present.
  9. That is weird, yes. Especially since the entire company uses Office and EAM as well and not one of them has had any problems so far. Can you give me your exact Office version (365 or Retail) as well as your Windows version? I will try to reproduce the problem again.
  10. Die Meldung ist normal. Bestimmte Prozesse, die mit DRM in Verbindung stehen, weigern sich DLLs zu laden, die nicht von Microsoft speziell signiert sind. Das Resultat ist dann die von Dir gepostete Meldung im Eventlog. Wenn Du die Meldung nicht sehen moechtest, kannst Du die betreffenden Prozesse in den Optionen/Ausnahmen von der Ueberwachung ausnehmen.
  11. Not necessarily. More indicative of campaigns is the same C2 server being in use.
  12. It has nothing to do with the Windows version. Nemesis is a ransomware-as-a-service offer, that means everyone can subscribe to it and get their own ransomware. Kaspersky only liberated the required keys for some of the Nemesis partners. That means only campaigns associated with those partners can be decrypted.
  13. You can try this decrypter: http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip Kaspersky got their hands on some of the keys for Cry36/Nemesis. So that may work. Make sure the version is 1.21.2.0 or later.
  14. You can try the newer version: http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip Kaspersky got their hands on some of the keys for Cry36/Nemesis. So that may work. Make sure the version is 1.21.2.0 or later.
  15. Can you please provide the file pair you try to use? It would also be helpful if you still have the ransomware that infected your system.