Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crysis (.<extension>.<id-number>.<email>.CrySiS/.xtbl) Ransomware Support Topic


  • Please log in to reply
689 replies to this topic

#676 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,067 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:19 PM

Posted 09 December 2017 - 11:23 AM

Unfortunately, there is no known method to decrypt files encrypted by the .java variant of Dharma without paying the ransom. If possible, your best option is to restore from backups, try native Windows Previous Versions or programs like Shadow Explorer and ShadowCopyView if the malware did not delete all shadow copy snapshots as it typically does or try file recovery software. If that is not a viable option, the only other alternative is to backup/save your encrypted data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


#677 none00

none00

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 09 December 2017 - 03:31 PM

thanks for your reply



#678 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,067 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:19 PM

Posted 09 December 2017 - 04:20 PM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#679 dannywilson095

dannywilson095

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 09 December 2017 - 06:17 PM

Got these guys to decrypt 3 files for me through email. I have the original and encrypted versions. I even took time to put a file on the PC that was infected and reboot to it would infect a file about 3 gigs in size. that way if a btcware decryptor comes out maybe we can decrypt the smaller files. .id-383CA5CC.[C2H5OH@cock.li].arena. Feel free to post if anyone pays this crazy high ransom. they wanted about 6800 dollars.



#680 none00

none00

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:19 PM

Posted 12 December 2017 - 03:00 AM

Hello

Just to say that photorec do a god job to recover files.

#681 ahmerr3

ahmerr3

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:19 AM

Posted 18 December 2017 - 12:28 PM

hi. We have just been hit by the .arena ransomware, all of our important files have been encrypted. we are a small business and we do not have IT and did not keep a backup, which was agreed, very foolish of us. however we got a note as given above 

"all you data has been locked us.
you want to return ?
email Macgregor@aolonline.top"

Please Please Please if anyone has a solution please help me!



#682 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,067 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:19 PM

Posted 18 December 2017 - 06:22 PM

@ ahmerr3

I already replied to your question here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#683 rex67

rex67

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:19 PM

Posted 04 January 2018 - 03:53 AM

.lnk.id-B252B84D.[stopstorage@qq.com].java

 

Your sql files have been locked with this extension. can there be help



#684 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,067 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:19 PM

Posted 04 January 2018 - 06:11 AM

@ rex67

I replied to you in the Dharma Support Topic....there is nothing we can do at this time to help with the .java variant.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#685 mobilediscos

mobilediscos

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 04 January 2018 - 06:41 AM

Wow 10 bitcoin -  thats US $140k  -  Johnny Cryptor must be laughing all  the way to the bank

 

 

Workup@india.com  - these guys take the money and run - they do not reply after payment, they just disappear



#686 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,067 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:19 PM

Posted 04 January 2018 - 07:38 AM

In some cases victims may actually be dealing with scam ransomware where the malware writers have no intention or capability of decrypting files after the ransom is paid.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#687 StaleMartyr

StaleMartyr

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:04:19 AM

Posted 28 April 2018 - 12:20 AM

For those who are affected of .java ransomware and wants to recover their SQL Databases (.mdf), you can use Kernel for SQL Recovery. Just change the .java extension to .mdf.

 

Unfortunately office files recovered by file recovery software are also encrypted.

 

https://www.kerneldatarecovery.com/sql-recovery.html.



#688 thedee

thedee

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:19 PM

Posted 06 August 2018 - 08:34 AM

I have been hit with this virus.  My files are in this form:

test.txt.id-3A729960.[olivias3vzjscott@aol.com].bip

 

There is a FILES ENCRTYPED.txt that was added that says:

all your data has been locked us
You want to return?
write email olivias3vzjscott@aol.com or laurenlyfxecarter@aol.com
 
Is there any decrypt methods for this one?
 
I believe the bad exe that is on my pc that caused this is called "SHAOFAO.EXE" and I think I was infected by them using my Remote Desktop.

Edited by thedee, 06 August 2018 - 10:08 AM.


#689 Amigo-A

Amigo-A

  • Members
  • 623 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:01:19 AM

Posted 06 August 2018 - 08:56 PM

Crysis has been transformed into Dharma and is being developed as part of this Ransomware-campaign since November 2016.
 
The topic for support requests is in this same section.

Edited by Amigo-A, 06 August 2018 - 08:58 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#690 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,067 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:19 PM

Posted 07 August 2018 - 07:21 AM

I have been hit with this virus. My files are in this form:
test.txt.id-3A729960.[olivias3vzjscott@aol.com].bip


Dharma Ransomware is a Trojan and a newer variant of CrySiS Ransomware distributed as malicious attachments in spam emails and disguised as installation files for legitimate software as explained here. Newer variants were reported to be involved in a campaign which used RDP brute force attacks to compromise the victims system as explained here and here.

PROPAGATION MECHANISM
No mechanism has been detected allowing the propagation of this harmful code to other devices; it does not exploit vulnerabilities in remote systems or attack the credentials of other devices/services. The malware behaves basically like a Trojan-ransomware, meaning human intervention is necessary for the activation of its malicious code (manual execution)... it has been determined that the initial
infection vector for distributing this type of malware is usually the RPD (Remote Desktop Protocol).

Ransomware from the Crysis/Dharma family Report

Our crypto malware experts who analyze these infections suspect another cyber criminal forked the code and generated their own keys which were not part of the leaked master decryption keys for the original CrySiS variants. From what I understand, Dharma will entirely encrypt small files and encryptes a few KBs at the beginning and at the end of larger files.

Only the .dharma, .wallet, .onion variants of Dharma (CrySiS) are decryptable. The master keys for .dharma and the master keys for .wallet and .onion variants were released on BleepingComputer.com in the same manner as the original CrySiS Ransomware keys were released (most likely by one of the developers) back on 11/14/16. Release of the keys for these variants allowed Kaspersky, ESET and avast to create decrypter tools.

Unfortunately, there is no known method to decrypt files encrypted by the .zzzzz, .cezar, .cesar, .arena, .cobra, .java, .write, .arrow, .bip or .combo variants of Dharma (CrySiS) without paying the ransom and obtaining the private RSA keys from the criminals. If possible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time. Ignore all Google searches which provide links to bogus and untrustworthy removal/decryption guides.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users