Didi 0 Report post Posted August 29 Hello, On Tuesday 27th August, I was downloading some iMazing torrents in order to transfer photos from iPhone to my laptop (Windows 10). After some time, I saw that all my files (except for music files), on my laptop and my external hard drive, had gone blank and had this extra extension attached: _NEMTY_VOv3Zme_ . I also got a ransom message as well that said that I would have to pay a cryptocurrency fee which is equal to $1000. I downloaded some ransomware programs to get rid of the malware and searched for the malware in my registry. It seems that I’ve been able to remove the ransomware but my files have been encrypted and it seems that the ransomware has affected my Windows Defender, as it refuses to go on. I ask if anyone can please help me find out how to decrypt my files and let me know if they have any information. I’d be so so grateful. Quote Share this post Link to post Share on other sites
Kevin Zoll 280 Report post Posted August 29 That is the dangers of downloading pirated software. Let's make sure of what we're dealing with. The following site is quite good at identification, and will also offer advice on who, if anyone, might have a decrypter available, even if it is not us. We contribute to the site as well.Please visit the following website and upload both an encrypted file (between 256KB and 2MB in size would be best) and a ransom note for proper identification, and share with me the web address of the results page: https://id-ransomware.malwarehunterteam.com/ Please be sure to read the information link on the results page, as to whether we have a decrypter or not, sometimes someone else's decrypter is listed, or other information is available that might be useful for recovery.Outright cracking secure encryption is currently not possible. The encryption used is the same thing governments use and can take on the order of billions of years (no, I'm not exaggerating) with current technology to completely brute-force decrypt even a single victim's computer. Google searching for "time to decrypt AES-256" is pretty enlightening.If this is on a server, please make sure RDP (Remote Desktop Protocol) into your server is protected by proper difficult passwords (all of them), that you audit every account on the server and every machine that can access the server, and use firewalling to limit the range of IP addresses that can use RDP into your server. Also make sure it is up to date with all the latest security patches from Microsoft, especially ones such as the EternalBlue exploit patch. Many criminals using ransomware variants these days use RDP exploits to break in physically, so the attacker can turn off any protection that is on the machine prior to encrypting it. There is no protection against that if they are able to get in, so it is very important to secure the server. Quote Share this post Link to post Share on other sites
Kevin Zoll 280 Report post Posted August 29 It also appears that NEMTY is unbreakable and cannot be decrypted using third-party decryption tools. Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted August 30 Hello Kevin, I appreciate your very swift reply; thank you so much. I apologise for my not so quick reply; I've been reading up on this ransomware and what options I have. Thank you for the information provided. You're right, this is what you get when you download pirated programs. I uploaded the necessary files on the site and I've attached a picture of the results page. It seems that GandCrab v4.0 / v5.0 may help but I'm skeptical seeing as you've said that "outright cracking secure encryption is currently not possible". Annoyingly, I found that RDP (Remote Desktop Protocol) was enabled/allowed so I quickly unchecked the "allow" box. I'm currently running SpyHunter4 on my laptop which picked up the cryptowall ransomware (screenshot is attached). Is there any advice you could please offer me? Download Image Download Image Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted August 30 Hello @Didi Ransomware's actors often copies elements from each other to trick ID Ransomware Attach 2-3 encrypted files and the original ransom note to your message, so that we can verify it individually. Description of Nemty Ransomware Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted August 30 Hello @Amigo-A, Thank you for getting in touch. I see. OK, here are 3 encrypted files and the ransom note is called NEMTY-DECRYPT.txt IMG_2439.JPG._NEMTY_VOv3Zme_ IMG_2440.JPG._NEMTY_VOv3Zme_ NEMTY-DECRYPT.txt Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted August 30 Yes. This is new variant of Nemty Ransomware They again decided to change the extension, as if there was some reason for this. Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted August 30 6 hours ago, Didi said: I'm currently running SpyHunter4 on my laptop which picked up the cryptowall ransomware (screenshot is attached). Is there any advice you could please offer me? 1st step In this case, the most correct solution would be to remove SpyHunter, because it will not protect your PC and will not return your files. Quarantine needs to be exported, if this program allows this action. "The Moor has done his job, the Moor can go" - (phrase from the classics of literature). Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted August 30 2st step While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted August 30 3st step Later run a scan with Emsisoft Emergency Kit to make sure there's nothing malicious left on the system. Do not delete Quarantine if such files will be found. I or someone from the support service will look at the scan results to exclude the presence of malicious ransomware and others malicious files in the system. Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted August 30 @Amigo-A, Thank you again for your reply. OK, I'll delete SpyHunter and will download FRST. Please bear with me. Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted August 30 Decryption specialists will need time to explore the first and new variants and find vulnerabilities to make the decryptor. It is possible that this will not happen soon or will never happen. JSWorm - the previous development of the ransomware team, which, despite all their tricks and changes, was studied by decryption specialists and almost all the variants were decrypted. Thank you very much to @Demonslay335 This does not mean that success will be repeated every time something changes, but I think that we should hope and wait. Demonslay335 promises good news, but the time is not known in advance. Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted August 30 Hello @Amigo-A, Thank you for your swift reply; I really appreciate it. I was about to try all that you’ve mentioned but I had the opportunity to hand over my laptop and my external hard drive to the IT department in my workplace. I’ll wait and see what they say and give all that you’ve mentioned a go. Although I’m disheartened to hear that something may happen in the long run or not at all, I’m somewhat hopeful about @Demonslay335 finding a solution. Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted August 30 As I thought, the IT department was unsuccessful so I’ll be getting my laptop back soon. I’ll be running a scan with FRST and the Emisoft Emergency Kit once I receive my laptop and I will post my logs/findings ASAP. Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted September 7 Hello @Amigo-A, I ran a scan with FRST and the Emisoft Emergency Kit and there was no problem. I've attached a screenshot of the Emisoft Emergency Kit's scan of my system. Download Image Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted September 8 Need a log of results. Quote Share this post Link to post Share on other sites
GT500 596 Report post Posted September 10 On 9/7/2019 at 4:47 PM, Didi said: I've attached a screenshot of the Emisoft Emergency Kit's scan of my system. The screenshot shows Emsisoft Emergency Kit downloading Emsisoft Anti-Malware. Please note that if you already have Anti-Virus protection, you may want to remove it before installing Emsisoft Anti-Malware. On 9/7/2019 at 4:47 PM, Didi said: I ran a scan with FRST and the Emisoft Emergency Kit and there was no problem. FRST isn't going to tell you if it found anything. What it does is save logs which need to be manually analyzed by an expert. If you could attach those logs to a reply, we would be happy yo look over them for you. Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted September 12 (edited) OK, here are is the log for the Emisoft Emergency kit: Emsisoft Emergency Kit 2019.6.0.9501 stable [en-us] OS: Windows 10 (Version 10.0, Build 18362, 64-bit Edition) Forensics log Date Component Action Details 09/09/2019 01:06:09 Scanner Scan finished Scanned 95288 objects and found nothing. 09/09/2019 00:55:00 User Update Downloaded and installed 226 files (96030 kb) (17 min. 4 sec.). 09/09/2019 00:39:12 User IBHADE\ibhad Scan started Malware Scan 09/09/2019 00:37:57 Core Notification "Recommended Reading:To pay or not to pay ransomware: A cost-benefit analysis of paying the ransom". Log for FRST: FRST.txt Edited September 13 by GT500 Moved FRST log into attachment. Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted September 12 (edited) FRST Addition log: Addition.txt Edited September 13 by GT500 Moved log into attachment. Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted September 12 I've been unable to enable Windows Defender. The attack disabled it and shows an error when I click on Use recommended settings: Download Image Quote Share this post Link to post Share on other sites
GT500 596 Report post Posted September 13 @Didi Please download the following fixlist.txt file and save it to the Desktop: https://www.gt500.org/emsisoft/fixlist/2019-09September-13/Didi/fixlist.txt NOTE: It's important that both files, the FRST download from earlier and the fixlist file, are in the same location or the fix will not work. If you need to, please copy the files from your Downloads folder to your desktop. Run the FRST download from earlier, and press the Fix button just once and wait. If for some reason the tool needs to restart your computer, please make sure you let the computer restart normally. After that let the tool complete anything it still needs to do. When finished FRST will generate a log on the Desktop (Fixlog). Please attach it to a reply. Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted September 25 Hello @GT500 , I apologise for the very late reply. I did as instructed and I've attached the log here. Windows Defender hasn't changed: Fixlog.txtDownload Image Quote Share this post Link to post Share on other sites
GT500 596 Report post Posted September 26 I can't be certain if it will help in this case, however Microsoft has a fix for some Windows Firewall issues at the following link:https://support.microsoft.com/en-us/help/17613/automatically-diagnose-and-fix-problems-with-windows-firewall If that doesn't help, then please try the following: Right-click on the Start button. Select Windows PowerShell (Admin) from the menu. PowerShell will take a minute to fully load, so wait until it says "PS C:\WINDOWS\system32>" before you proceed. Type cmd.exe into PowerShell, and then press Enter on your keyboard. Copy the command from the following box, paste it into PowerShell, and then press Enter again: netsh advfirewall reset After the command is done running, please be sure to restart your computer by right-clicking on the Start button, going to Shut down or sign out, and selecting Restart from that menu. Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted September 26 Thank you so much for these! I'll try them and get back to you! Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted October 1 Hello @Didi Good news! Tesorion CSIRT helps victims of Nemty Ransomware Tesorion CSIRT: +31 88 27 47 800 E-mail: [email protected] Description >> Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted October 1 OMG!!! REALLY?! WOW! Thank you so much!!! I'll check them out now!!!! Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted October 1 Yes. This seems to be true, they thoroughly studied the encryption process, identified errors and offer each victim free help. Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted October 1 That's amazing!!! I'm so excited! Thank you for letting me know. I've emailed them. I tried both methods for Windows Firewall and nothing worked. This is what Powershell reported when I ran the command: An error occurred while attempting to contact the Windows Defender Firewall service. Make sure that the service is running and try your request again. Are there any other methods you could please suggest? Quote Share this post Link to post Share on other sites
GT500 596 Report post Posted October 2 7 hours ago, Didi said: This is what Powershell reported when I ran the command: An error occurred while attempting to contact the Windows Defender Firewall service. Make sure that the service is running and try your request again. Are there any other methods you could please suggest? Restart your computer, then run another scan with FRST and attach the logs to a reply. I want to see if the Event Logs show any indication as to why the firewall service isn't starting. Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted October 18 @GT500 Sorry for my late reply. I've attached the FRST and Addition logs. Thank you again for your help! FRST.txt Addition.txt Quote Share this post Link to post Share on other sites
GT500 596 Report post Posted October 19 Remove KMS and any pirated software, then run the DSIM /CheckHealth and DSIM /ScanHealth commands and the SFC SCANNOW command, make sure the computer is restarted if any repairs were made, and then if the firewall still isn't running try the Microsoft firewall repairs again. Note: KMS is known to install malware on computers, and it is rather common for victims of the STOP/Djvu ransomware to have been compromised shortly after installing KMS. Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted October 19 Didi Quote C:\Users\ibhad\Downloads\_Getintopc.com_KMSAuto_Net_Office_2007.rar This file is in the Downloads and in the Recycle Bin - C:\$Recycle.Bin\***. You need to remove it physically and empty the Trash (Recycle Bin). Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted October 20 @GT500 and @Amigo-A, thank you for the insights. I'll report back as soon as I do as instructed. Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted November 12 @GT500 and @Amigo-A, I ran the commands but they made no difference. I still get an error message when I access Windows Defender Firewall (shown in the screenshot). Also, I've been unable to decrypt my files using the Tesorion decryptor (v2.0.7228.29806). Everything starts off fine when I upload the ransom note but once I upload a file, it always fails to be decrypted. Is there way I could get help with getting my files back? Download Image Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted November 12 I just tried decrypting a file again and the decryptor failed (shown in the screenshot)Download Image Quote Share this post Link to post Share on other sites
GT500 596 Report post Posted November 13 22 hours ago, Didi said: @GT500 and @Amigo-A, I ran the commands but they made no difference. I still get an error message when I access Windows Defender Firewall (shown in the screenshot). You've done just about everything I can think of to repair the Windows Firewall. The only other thing I can think of is Windows Repair (All In One), however it does have a ton of extra fixes that aren't going to be necessary, and it does like to add a startup item so that it can display an icon in your System Tray/Notification Area. There's also a good possibility that it may not work either. If that doesn't fix it either, then it's possible that someone at BleepingComputer may know how to fix this. There's also Tech Support Forum and the StackExchange tech sites, and some pretty good experts hang around both of those websites and answer questions. 22 hours ago, Didi said: Also, I've been unable to decrypt my files using the Tesorion decryptor (v2.0.7228.29806). Everything starts off fine when I upload the ransom note but once I upload a file, it always fails to be decrypted. Is there way I could get help with getting my files back? I'll ask one of our ransomware analysts and see what they say about this. Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted November 13 @GT500 Thank you so much for your help with both issues. OK, I'l get in touch with people form all sites to see if they have any solutions. I also look forward to hearing what the ransomware analysts have to say. Quote Share this post Link to post Share on other sites
GT500 596 Report post Posted November 13 It looks like there's nothing we can do about Nemty at the moment. We understand the technical detains about how the encryption works, and in theory we know how to make a decrypter, but we don't know for certain if we could do any better than Tesorion because we can't analyze their decrypter. Our best guess right now is that the file you're trying to decrypt is a type of file that Tesorion's decryption service isn't familiar with, and thus it can't verify if it was able to decrypt the file properly. If there's a way to contact them about it, then that might be the best course of action, as only they know for certain how their decryption service works. Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted November 14 Meanwhile, extortionists has already released version Nemty Revenge 2.0 (VT-sample) Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted November 14 @GT500 Thanks for you comment. I've gotten in touch with Tesorion via email but haven't heard from them since and I really need their help to get my files back. @Amigo-A Oh gosh! That's awful! I wish something could be done to elimate ransomware from the web. Quote Share this post Link to post Share on other sites
Amigo-A 44 Report post Posted November 14 Quote I wish something could be done to elimate ransomware from the web. Unfortunately, this human factor is a consequence of social and economical inequality and ineradicable. Quote Share this post Link to post Share on other sites
Didi 0 Report post Posted November 14 This is true and very sad. Quote Share this post Link to post Share on other sites