I have been hit with this virus. My files are in this form:
is a Trojan
and a newer variant of CrySiS Ransomware
distributed as malicious attachments in spam emails and disguised as installation files for legitimate software as explained here
. Newer variants were reported to be involved in a campaign which used RDP brute force attacks
to compromise the victims system as explained here
Ransomware from the Crysis/Dharma family Report
No mechanism has been detected allowing the propagation of this harmful code to other devices; it does not exploit vulnerabilities in remote systems or attack the credentials of other devices/services. The malware behaves basically like a Trojan-ransomware, meaning human intervention is necessary for the activation of its malicious code (manual execution)... it has been determined that the initial
infection vector for distributing this type of malware is usually the RPD (Remote Desktop Protocol).
Our crypto malware experts who analyze these infections suspect another cyber criminal forked the code and generated their own keys which were not part of the leaked master decryption keys for the original CrySiS variants. From what I understand, Dharma will entirely encrypt small files and encryptes a few KBs at the beginning and at the end of larger files.
Only the .dharma, .wallet, .onion
variants of Dharma (CrySiS) are decryptable. The master keys for .dharma
and the master keys for .wallet and .onion
variants were released on BleepingComputer.com in the same manner as the original CrySiS Ransomware keys were released (most likely by one of the developers) back on 11/14/16. Release of the keys for these variants allowed Kaspersky, ESET and avast to create decrypter tools.
Unfortunately, there is no known method
to decrypt files encrypted by the .zzzzz
variants of Dharma
) without paying the ransom and obtaining the private RSA keys from the criminals. If possible, your best option is to restore from backups
, try file recovery software
or backup/save your encrypted data as is
and wait for a possible solution at a later time. Ignore all Google searches which provide links to bogus and untrustworthy removal/decryption guides.