Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.

Share tech news, updates, or what's on your mind.

Sign up to Post


Today My exchange server rebooted on it's own and on my desktop was _decrypt_my_files text file

**all your work and personal files have been encrypted**
buy special software <nemesis decryptor>
https://*.onion.to to get details.

I am hoping this is a hoax, does anyone know of this?
I have a question for about .zepto which I think is a Ransomware virus that change a punch of Pictures on someones computer to .ZEPTO and gives them an IE icon.  I was a bit surprised because I run Deep Freeze on this persons system locking the OS C: Drive partition and having all data on the 2nd partition which is the F: drive.  I installed and ran Kaspersky but it came up 100% clean.  Any ideas?
Recently one of our sites suffered a ransomware attack. Luckily we had good image backups and were able to roll back to the previous healthy backup so downtime was only a few hours.

We now want to determine the point of the attack.

The site setup is as follows:

Office with 60 users
2 x Host Servers in a Hyper V Cluster with 4 VMs
One of the VMs is a 2012 Terminal server
Fortinet Firewall in place
10 users work from outside the office
They have laptops with software VPN on each
They firstly connect to the VPN and then RDP to the TS
ESET AV installed on all machines

Following the attack we checked all internal machines for ransomeware - we used malwarebyte - all machines appear to be clean

We examined the infected terminal server and discovered the following:
A high number of failed login attempts using various different accounts before the attack
Successful login via an AD user called accounts that is current not in use
Within a minute an executable file was downloaded to the downloads folder of this user profile
The following day the wallet ransomware signature was found under this user’s profile

We have kept the terminal server off since the attack.

My question is where is the likely source of the attack? Only VPN traffic is allowed through the firewall. Was the terminal server itself compromised or would it be more likely one of the laptops and in turn the TS?

Any help would be appreciated - thanks

hi everyone
i have got a task  to do complete study on ransomeware , can any one help me geeting complete details like
1. what exactly is ransomeware
2. how it is attached
3. how to prevent
4. what exactly it does
5. how effective it is
6. what are the different ways it will attack
Ransomware is a concern for everyone and SOPHOS has come out with this Intercept X product that they claim to stop modern exploits, including zero-day and ransomware.

Has anyone had any experience with this product? Can anyone one confirm this products protection from Ransomware?

Is it possible to decrypt .wallet ransomware?
We have a file extensions of BOXING DAY.xls.id-FCB9A156.[dropped@india.com].wallet
and a ransom note of: If you want to restore your files, write us to dropped@india.com


Hello Experts

I have a DC that was attacked by a ramsomware and now all my shortcuts to the administrative tools are files with .wallet extension is there any way to reconstruct the shortcuts
I have a client with aes256 ransomware on an SBS 2011 server. What is be best removal procedure/product? I have recovered the data but need to be sure the server is clean. I'm finding very little on this bug.
Hi Experts,

File Extension of all the office related files present in one folder has changed to .CFR
Also the name of the files has been changed. Now it includes the original name.original extension_some random number
Now we are not able to open these files.

What is this .CFR extension ?
How should I proceed now ?

No ransomware related mail received asking for ransom. Not sure exactly what had happened.

I am looking for someone who has used https://www.eventsentry.com/blog/2016/03/defeating-ransomware-with-eventsentry-auditing.html to protect against ransomware and their experience with it - pros and cons.  

Please note that we are not looking for the 'ultimate' protection and we are well aware and practice good backups, complex passwords, AV, etc.  We want to focus very specifically on the merits of the Event Sentry approach to the Ransomware issue as per the link I provided - period.  I write this not to chill free flow of thoughts/feedback but to avoid the often generic responses -  'Your best defense is a good backup', etc. -  that questions like this can end up getting.  Or alternatively - "I have never used the product but I use ...." I am not asking for general anti-Ransomware advice - I am focused in this question on one approach.  Again experience with the product is preferred.  Thanks in advance.
Hey guys,
Whats the best defence against ransomware on a remote desktop server? I have a sufficient backup solution in place which will help when we get hit. But thinking more about prevention. Whats the best thing to do or combination?

Currently using malwarebytes premium due to it inbuilt ransomware feature.

I have a Windows 10 laptop that has been infected with Osiris Ransomware that identifies the files it encrypts with the extension '.Osiris'

Seems my existing protections didn't detect it before it spread.

I'm very suspicious of the offers to download removal tools only to find that they detec but do not remove until a payment is made.
I have 5 servers infected with .wallet virus wich encrypted all system files , and files on these servers as per attached , how i can reomve this , these servers using kaspersky endpoint security 10 .
Please let me know your experience with ESET AV's effectiveness against ransomware. I used the KnowBe4 RanSim vulnerability test against my Vipre AV  and it scored a perfect 10 on on the protection.


I ran the same test on ESET AV for Business and it failed all 10 tests.  ESET support told us the simulation isn't "fair" since the RanSim application both creates the temporary test folders and files and then performs the simulated crypto attack on them.  I don't think that is a "fair" answer.  Even MS Windows Defender and an old version of AVG 2013 stopped at least one of the 10 attack methods.

Maybe there are some settings in ESET I'm missing.

Troy Taylor
We just got hit by ransomware.  

We are trying to narrow down the time our system was infected.
How long does it take for the ransomware to get on the system to the time it makes it's self known (When it starts to encrypt files)?
Beside  knowb4.com, kindly suggest 2 more good ransomware simulators for Windows?
The ransim I got from knowb4 give different results when run multiple times
against a product  enSilo on Win 7

Does company below provide one such good product?

Knowb4 has a ransomware simulator but when our enSilo vendor ran it several times
against enSilo, it gives a range of ratings from 2 to 10 (out of perfect 10): enSilo says the
simulator is 'inconsistent' or is it the behavioral aspects of enSilo that's inconsistent ?

When we test against our McAfee AV, we need to get McAfee to block creations of
80+ extensions/files that ransomwares are known to create to get a score of 10/10.

Against Malwarebytes trial copy (with realtime/on-access feature on), the score is
consistently 4/10.

So based on the above, is is the simulator issue or enSilo

Does ransim simulator truly gives a good simulation of ALL & potential future
ransomwares attack simulation?
We were hit with a ransomware virus, we emailed the hacker asking how much it will cost to get the decryption keys. They asked how many computer were encrypted. With ransomware, would it have several different keys or should I just say one computer (instead of 6 that was actually encrypted). I would think the de-encryption tool they send would un-encrypt everything but was not sure or would there be a special key for each computer?
Please don't say don't pay the ransom, I totally understand and agree, but this company would likely go bankrupt if we don't get the files back. Thanks so much for your input.
Uh, oh... got a file server with the DMA Locker 3.0 ransomware message.  It does appear to have encrypted files.  Even opening batch files yields gibberish.

Have searched for solutions, but they appear to be from illegitimate (?) websites.    

Any known legitimate resolutions?

Hi Guys,
I have an Internet Information Services web server, and it was attacked by ransomware.
Honestly I don't even know how can the hacker actually infect the server just by using the port 80.

Since this is a production server I just restored an earlier snapshot and it is now back up and running.

The thing is that now management is requesting a postmortem investigation, and a report stating if there was client information compromised.

We do have a completely different server (SQL Server) that the WEB Server uses to get/save client data, but as far as I can tell the SQL server was not compromised.

Now since I had to restore the snapshot in a rush or otherwise all our clients would be looking at a pretty error page, how can I find some conclusions as to the postmortem report, to answer some questions like:

How did this happen?
Did the attacker penetrated through port 80?
Was any information in the SQL Server compromised?
My laptop is infected with the Torproject Ransomware virus in Win 10. How do I get rid of it? It has also wiped out my Restore Points.
Hello all,

In order to deal with all kind of Ransoms virus I think that the only solution could be snapshots, i have couple of questions regarding this:

1.  is there any tool \ script \ software that able PC encrypted snapshot that could not be encrypt by ransom encryption?
2.  what is the best way to schedule snapshot to  VM (hyper-v environment).

we are searching solution for servers and workstation that we could restore from snapshot in minutes.

Best Regards,

Hi, our network was hacked last week with Ransomware locking our server. In moving domain etc after being able to recover from a back-up by own machine ended up screwed and has now had a fresh install of windows 10 pro, however my screen popped up with the attached image, playing audio threatening to lock my pc again! has anyone seen this?.
Hi, unfortunately our server was hacked and all files encrypted using mkgoro@india.com.wallet ransom. Thankfully we had a backup that's almost saved the day.

Pervious server was SBS2011 with office 365 exchange.

I have created a new server with server 2012 essentials, what should I do to protect from a further attack. I have not enabled VPN for the moment and have closed all ports on our router.
In order to tackle the above issue, I need to write up a report to the management for a short term and long term action plan.

The second thing that comes up in my mind is an intrusion prevention system which detects and stops any abnormal network activity.

Can deployment of intrusion prevention system help to block the spread of ransomware?
This is a new one for me... My client, who is computer illiterate, downloaded a file from FilesAnywhere that he had previously uploaded.  He says that all of a sudden the desktop went haywire and his files were renamed with weird stuff (screen shot attached).  I have never run into this before and I'm not sure what happened but it looks to me like his files got encrypted. This is the destop... note the weird file names that were previously powerpoint presentations and videos, etc.
There is a folder on his desktop called "Ultrasonic.Key" and I'm not sure what that is.  Can anybody figure this out?  Willing to pay for help!This is the ultrasonic.key folder, note the colors.  Not sure what this is.
There have been no "ransomeware" popups and the computer scans clean for viruses.






Ransomware is malicious software, designed to block data access in order to extort money. As a form of malware, ransomware is most often used to infiltrate devices through infected emails or links that, in turn, recognize and take advantage of vulnerabilities in the operating system and installed third-party software.