Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dharma ransomware (filename.[<email>].dharma/.wallet/.zzzzz) Support Topic


  • Please log in to reply
1209 replies to this topic

#1 Haleice

Haleice

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 16 November 2016 - 03:04 PM

You can download and use this decrypter that Kaspersky released if you were hit by .dharma extension.

 

This ransomware mostly comes via RDP, so please disable it or secure it with a strong password. Backups, multiple backups and testing them regularly are important.

 

 

 

Hi there,
 
Our exchange server and 4 of our office PC's appear to be infected with a ransomware. However there are a number of other PC's that were connected to the network that aren't infected.
 
The ransomware only appears to affect the c:\users folder and below, encrypting the files and adding [bitcoin143@india.com].dharma to the end of each filename. From what I can see there doesn't appear to be a ransom note anywhere that we can spot.
 
No antivirus or malware checkers that we have tried seem to spot it. The problem we have is that the PCs are still infected and if you add new files to the user folders when you re-boot the PC they get infected. Other than that it doesn't seem to stop you using the PC.
 
I tried scanning the file on your website but it wasn't recognised. It gave me a reference SHA1: 1ad54bb7fd696316dece1eb4b536ba883657da02[/size]
 
Any help would be greatly appreciated.
 
Haleice


Edited by xXToffeeXx, 02 March 2017 - 04:19 PM.


BC AdBot (Login to Remove)

 


#2 alpotero

alpotero

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 16 November 2016 - 04:24 PM

Hi guys,

 

I got infected by a ransowmare early in the morning when no one is using the machines on the network. only servers are up.

 

Appended extension on encrypted files are .[worm01@india.com].dharma

 

I can't see any ransomware note as well.

I have some encrypted files if you want samples.

 

I checked it on id-ransowmare but not yet identified... Anyone of you have the same issue?

 

I suspect that our server was hacked...

 

Please help for any suggestions what to do.

 

Thanks in advance.

 

 

 

Case SHA1 from id-ransowmare: 35ecaeb30834a05cdc61f777781531b73585b7e5


Edited by alpotero, 16 November 2016 - 04:26 PM.


#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:12 PM

Posted 16 November 2016 - 04:48 PM

I've had only one other submission with that extension, and a different email address (".[bitcoin143@india.com].dharma"). They also did not upload a ransom note, and it was submitted a few hours before yours. This may be something new, not finding any info on it. I don't see a pattern in the hex.

 

If you can find any samples of the malware, that would be needed for analysis.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:12 PM

Posted 16 November 2016 - 04:58 PM

@Haleice

 

We've merged your post, I only noticed it on the other topic after replying to this one.

 

If the malware is still running on startup, you should be able to find it easily with AutoRuns. Check the owner of the files, that should help you verify what workstation and profile is infected.

 

If you find the malware, please submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

Also, if you have pairs of files before/after the encryption we can use for comparing, you may submit those as well.


Edited by Demonslay335, 16 November 2016 - 05:01 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:12 PM

Posted 16 November 2016 - 05:06 PM

We believe this may be a variant of CrySiS based on some hex patterns at the footer of the files. CrySiS recently had keys released. Can you both try the decrypter released by Kaspersky? If it fails to try the files, try renaming a file to one of the known types for the decrypter.

 

http://www.bleepingcomputer.com/forums/t/607680/crysis-extensionid-numberemailxtblcrysis-ransomware-support-topic/


Edited by Demonslay335, 16 November 2016 - 05:07 PM.

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#6 Haleice

Haleice
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 16 November 2016 - 05:12 PM

Hi Demonslay335,

 

I'm not able to check the AutoRuns until tomorrow morning as I'm not able to access the PC/server remotely. I should be able to get the file pairs though.

 

Do you want them submitting to the link you posted above?

 

It'll be a couple of hours though before I can get them.

 

Thanks again.



#7 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:12 PM

Posted 16 November 2016 - 05:23 PM

Yes, if you could zip them all together that would help. This may be a new variant based on CrySiS with different keys than those released.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#8 alpotero

alpotero

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 16 November 2016 - 05:24 PM

FYI.. I got infected by a different ransomware using .lock extension.

I'm not yet finished on restoring the files when the .dharma ransomware have infected.

I noticed that it also encryts the .lock files.

 

after the first ransomware infection. the file name is sample_file.xls.id-{8 char}.{funa@india.com}.lock

after teh 2nd ransomware infection the fine name is now sample_file.xls.id-{8 char}.{funa@india.com}.lock.[worm01@india.com].darma

 

I think it's also being a stampado.. encrypting encrypted files.

 

I'll look for the malicious auto-starting files and I'll send it once I found one.



#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 5,933 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:08:12 PM

Posted 16 November 2016 - 05:47 PM

If you were hit with this, please check whether you have RDP enabled and if so either disable or put a secure password on it. Can check event viewer logs to see if anyone has used RDP.

 

xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#10 Berserkir-Wolf

Berserkir-Wolf

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:08:12 AM

Posted 16 November 2016 - 06:15 PM

Just found a site with the same error. The file that ran the encrypt appears to name itself 'skanda.exe'. The files also show the extension ".[bitcoin143@india.com].dharma", much like Demonslay335 is seeing.

The Kaspersky decrypter tool does not work - throws an error of "unsupported file type" even if I change the extension.

 

The user that the application ran as has had a folder created called "opFirlma", which had a 'plink.exe' application in it. I assume that's how they did the rewrite.

Unlike Demonslay335, this one does have a ransom note. It is a README.txt file that was in the startup folder of a the user that was used to run the exploit, and I cannot yet see why this user got it.

The file states simply:

ATTENTION!
At the moment, your system is not protected.
We can fix it and restore files.
To restore the system write to this address:
bitcoin143@india.com



#11 alpotero

alpotero

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:12 AM

Posted 16 November 2016 - 06:41 PM

I found a malicious worm.exe on Desktop of terminal server user and my AV did detect it...

it resides on terminal server... i noticed that it resides on one terminal server account profile and that profiles files are encrypted with .[worm01@india.com].dharma
 

Once we are up and good to go. I'll try to extract it from quarantine of AV and will give a copy to you guys.

 

Regards,



#12 Haleice

Haleice
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:07:12 PM

Posted 16 November 2016 - 08:48 PM

I have uploaded a zip file containing 4 files, 2 encrypted and 2 re-downloaded from my email.

 

I tried the RakhniDecrypter.EXE and renamed a file to fit the format so it could scan it, but it couldn't recover the password.

 

if it is a variant of CrySiS, is it likely that it will be cracked in the near future, or should I just cut my losses and rebuild the server and PCs?



#13 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:12 PM

Posted 16 November 2016 - 09:09 PM

@Berserkir-Wolf

Do you have a sample of the malware? Could you share it to the link I provided?

@Haleice

We don't really know at this point. Keys were released by who we assume was the developer of CrySiS, but we don't know how spread the variants were and if it was modified or anything. I would assume it is a loss at this point until further information is found. If you have backups (which everyone should), you should restore from them. It's always worth a shot running ShadowExplorer and Recuva, some victims of ransomware get lucky.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#14 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 2,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:12 PM

Posted 17 November 2016 - 09:59 AM

@Berserkir-Wolf

 

Thanks, we received the sample and confirmed it is the encrypter. We're taking a look at it to see whether it is a variant off of CrySiS or something new.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,060 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:12 PM

Posted 17 November 2016 - 08:04 PM

...if it is a variant of CrySiS, is it likely that it will be cracked in the near future, or should I just cut my losses and rebuild the server and PCs?

Regardless of what ransomware it is, you should create a copy or image of the entire hard drive. Doing that allows you to save the complete state of your system (and all encrypted data) in the event that a free decryption solution is developed. In some cases, there may be decryption tools available but there is no guarantee they will work properly since the malware writers keep releasing new variants in order to defeat the efforts of security researchers.

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, they do not always work correctly so keeping a backup of the original encrypted files and related information is a good practice.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




35 user(s) are reading this topic

7 members, 28 guests, 0 anonymous users


    kdzyabko, manners, melissa_virus, gyromind, Chadm357, manestevez, CatByte