Recommended Posts

My laptop has been hacked by ransomware virus  (mtogas) I didn't find any message or txt or mail on my laptop from the hackers. How can you help me please. All files  are locked now and all my life in my laptop all my work they destroyed me. And the problem I am in Syria i don't what to do with this issue all told me there is no solution 

Can you help me please 

Share this post


Link to post
Share on other sites

Hello and welcome to the Emsisoft support forums.

Let's make sure of what we're dealing with. The following site is quite good at identification, and will also offer advice on who, if anyone, might have a decrypter available, even if it is not us. We contribute to the site as well.

Please visit the following website and upload both an encrypted file (between 256KB and 2MB in size would be best) and a ransom note for proper identification, and share with me the web address of the results page: https://id-ransomware.malwarehunterteam.com/ 

Please be sure to read the information link on the results page, as to whether we have a decrypter or not, sometimes someone else's decrypter is listed, or other information is available that might be useful for recovery.

Outright cracking secure encryption is currently not possible. The encryption used is the same thing governments use and can take on the order of billions of years (no, I'm not exaggerating) with current technology to completely brute-force decrypt even a single victim's computer. Google searching for "time to decrypt AES-256" is pretty enlightening.

If this is on a server, please make sure RDP (Remote Desktop Protocol) into your server is protected by proper difficult passwords (all of them), that you audit every account on the server and every machine that can access the server, and use firewalling to limit the range of IP addresses that can use RDP into your server. Also make sure it is up to date with all the latest security patches from Microsoft, especially ones such as the EternalBlue exploit patch. Many criminals using ransomware variants these days use RDP exploits to break in physically, so the attacker can turn off any protection that is on the machine prior to encrypting it. There is no protection against that if they are able to get in, so it is very important to secure the server.

Share this post


Link to post
Share on other sites
13 hours ago, Ehab1985 said:

ransomware virus  (mtogas)

There is no separate ransomware with that name. This is varint of STOP Ransomware

Look at the list in The versions numbers and extensions of STOP-Djvu Ransomware - extension .mtogas under #144

An international criminal group, behind this criminal business, infects sites, software distributions, key generators and other tools for hacking and illegal use of paid programs.

If you became a victim of this ransomware, it means that you poorly protected your PC, probably using free anti-virus programs that a priori will not protect against ransomware and similar complex attacks. Their functionality is limited and almost useless. Also, the new Windows 10, even loaded with the latest updates and critical patches, will not protect against ransomware. This has been tested by my test team many times.

Share this post


Link to post
Share on other sites

I have been tracking the malicious work of this program since December 2017. This was much earlier than the well-known anti-virus companies. 
Now on the forum a lot of victims from different variants of this Ransomware. In some cases, the files can be decrypted. 

Firstly...

You need to attach a ransom note _readme.txt  to the message, or farther act by himself.

@Demonslay335  (the developer of the STOPDecrypter) collects information from the victims, writes data and tries to update the STOP Decrypter. After that, victims can try to decrypt the files. A positive result and a lucky chance are not always possible. 

Download STOP Decrypter now >>>

I recommend to you start decrypt with a small group of files, but first you need to make copies of these files.

If STOPDecrypter won't be able to recover your files, it can still be used to get information that may be able to help the creator of STOPDecrypter figure out your decryption key. Here's a link to instructions on how to get this information with STOPDecrypter:
https://kb.gt500.org/stopdecrypter 

Share this post


Link to post
Share on other sites

Secondarily...

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Then, after checking and cleaning, you will need to change the passwords on the accounts in browsers. Ransomware do not come by just one, they come with backdoors, trojans and password-stealers to inflict maximum damage and take more money.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.