Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dharma ransomware (filename.[<email>].dharma/.wallet/.zzzzz) Support Topic


  • Please log in to reply
1463 replies to this topic

#376 mjcollins45

mjcollins45

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:17 AM

Posted 16 January 2017 - 12:00 PM

hi 

 

i was attacked with the same 

some files looks like this

test.csv.opentoyou@india.com.crypt.[makedonskiy@india.com].wallet

some looks like this

abc.rtf.opentoyou@india.com.crypt

 

does this mean that i was hit 2 time with 2 different ransomewere

 ???????

Based on our experience I don't think you got hit twice.  In our case we got hit with DMA and files changed to .crypto, on the second attack our files changed to look like yours.



BC AdBot (Login to Remove)

 


#377 Baumtec

Baumtec

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 17 January 2017 - 10:57 AM

Hi, I had the problem too, all my files was encrypted, . wallet extension.
Waiting for a solution, the tool Rakhni decryptor dosent work.

 

Thank you!!


Edited by Baumtec, 17 January 2017 - 11:42 AM.


#378 ShaneK

ShaneK

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 18 January 2017 - 01:57 PM

So I have a client who got [injury@india.com].wallet. I restored from backup but there's a SQL database file that I'd still like to recover if possible. So I was messing around with it and I changed the file name and extension back to how it was, for instance blahblahblah.mdf. Then I opened it in Notepad just to see what it looked like and the weird thing is, I can read a lot of it. Obviously the format is crazy and it makes no sense but a lot of it is English readable words. 

 

Is this something worth exploring? Or is the encryption working differently than I would have expected? I assumed I'd see nothing but jibberish and the entire file would be unreadable. Thoughts?



#379 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 48,469 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:17 AM

Posted 18 January 2017 - 02:04 PM

Anything which can help recover even partial files is worth exploring rather than paying ransom demands.

Not all these malware developers are as sophisticated as everyone thinks. They make mistakes and sometimes flaws are found in their encryption methods.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#380 kitter

kitter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 18 January 2017 - 06:02 PM

So I have a client who got [injury@india.com].wallet. I restored from backup but there's a SQL database file that I'd still like to recover if possible. So I was messing around with it and I changed the file name and extension back to how it was, for instance blahblahblah.mdf. Then I opened it in Notepad just to see what it looked like and the weird thing is, I can read a lot of it. Obviously the format is crazy and it makes no sense but a lot of it is English readable words. 

 

Is this something worth exploring? Or is the encryption working differently than I would have expected? I assumed I'd see nothing but jibberish and the entire file would be unreadable. Thoughts?

 

As someone has mentioned here quite a long time ago already, the ransomware entirely encryptes only small files (4KB maybe) and for big files (eg. 200MB) it encryptes just a few KBs at the beginning and at the end of the file and (probably) leaves the rest of the file untouched. I confirmed it at my infected server and it is true.



#381 foxpro

foxpro

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:17 AM

Posted 19 January 2017 - 08:34 AM

So I have a client who got [injury@india.com].wallet. I restored from backup but there's a SQL database file that I'd still like to recover if possible. So I was messing around with it and I changed the file name and extension back to how it was, for instance blahblahblah.mdf. Then I opened it in Notepad just to see what it looked like and the weird thing is, I can read a lot of it. Obviously the format is crazy and it makes no sense but a lot of it is English readable words. 

 

Is this something worth exploring? Or is the encryption working differently than I would have expected? I assumed I'd see nothing but jibberish and the entire file would be unreadable. Thoughts?

I have registered to contribute a bit to this.....

Seems like SQL databases have a solution. Also a client computer with .wallet extension and many SQL databases were recovered with SQL Repair tool, http://www.sqlrepairtool.org/ . You can download it for free, and take a test drive to see if you can actually see the records, but to recover the records you have to pay them. I think that basic fee is 129$ which is much less then taking a chance with a ransom. You may have lost some of the records but still if it is a fairly big database, most of it is there to be restored.

The thing I am saying is a certain and someone above (previous pages) already mentioned that files are changed at the beginning and at the end, so in the middle is still valuable data which can be restored. If you think reasonably the virus does not have so many time to crypt whole files, we are talking for up to 1 TB of files in the servers and virus does not have brain to choose which files are important and which are not to skip them. So virus crypt everything but must choose which part of file to crypt, in this case its beginning and the end of file. 



#382 outrageous

outrageous

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 20 January 2017 - 07:42 AM

downloaded and purchased sql repair tool 

i wanted to decrypt a mdf file(500mb)

it did actually worked

 

but the database seems to be damaged or missing parts

we are having now trouble restoring it to the SQL server 

can anyone help?



#383 ShaneK

ShaneK

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:17 AM

Posted 20 January 2017 - 08:32 AM

downloaded and purchased sql repair tool 

i wanted to decrypt a mdf file(500mb)

it did actually worked

 

but the database seems to be damaged or missing parts

we are having now trouble restoring it to the SQL server 

can anyone help?

That's consistent with what I saw too. It doesn't encrypt the whole file, but it encrypts enough to break it. The recovery tool finds what it can, but it doesn't decrypt the file. I'm trying to find my next step too. I contacted the vendor and I'm hoping some database expert of theirs can extract enough usable data. 



#384 BWTechUK

BWTechUK

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bristol, UK
  • Local time:10:17 AM

Posted 20 January 2017 - 08:48 AM

Hello All!

 

I've recently had a client infected with the .wallet encryption. It's literally wiped everything including backups and everything!

 

I'm waiting for something magical to appear online before I attempt to do anything with the files, however, that's not the real reason for me posting today. I've been struggling to work out how they've gained access to our network as everything was quite secure, or so I thought.

 

Turns out the workstation that executed the encryption has something a little odd on it. I shall start at the beginning so I don't miss anything that could be of some use to others!

 

We utilise Sophos AV, and this didn't pick anything up in real-time. I was on a call today with Sophos Support as they we're very interested in how it managed to get past the Real-Time protection. They potentially found a backup file that could of been on us, but sadly it was also encrypted once expanded (.vhd file hidden from view). Whilst typing the network address of the backup NAS device, I noticed a few random computer names that we're locally available on our network. I could ping them, but they we're within our actual network. I even unplugged the WIFI access point to double check!

 

Turns out that when the attack happened they managed to install a softVPN client hidden completed from view except in network adaptors. Even then it was renamed so to the untrained eye, you'd totally ignore it! I've managed to locate the 'config' for the VPN but it connects on Start Up and gives this little VPN network a lot of access to the machine/network. I've taken a number of screenshots of the config and anything I can see relevant to it. I can't see anything VNC related installed on the PC to give them access, but I am aware that this could potentially be quite well hidden from normal view.

 

Do you think they could have encrypted our server across a mapped network drive using this, as I can't see any event log things on our server to suggest something actually ran on it?

 

Available on PM if anyone has questions or wants screenshots!

 

Thanks

 

Jordan - BWTechUK



#385 DiegoVe

DiegoVe

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 20 January 2017 - 08:50 AM

Best regards, I'm having exactly same problem due to [mr_lock@mail.com].dharma Ransomware, I'd like to share a bit of what I've done

 

-> Tried to recover MDF files with SQL Repair Tool and it indeed recovers records from the database, just purchased the license to make the full restoration and see how much more I can recover

 

-> If anyone has had the problem on a system with SQL Server, there's something that may be valuable to observe: since SQL Server process write-locks the MDF and LDF files the virus can't affect them as long as the system doesn't restart, so, if someone has been infected with this virus, turn system off and boot from hiren's boot CD or other live CD and try to get undamaged MDF and LDF files from the hard disk (unfortunately I realized that after I restarted system, then I saw that modification date/time of these files was after the system restart)

 

Please, if someone else has more information that can help us tackle over this tragedy it will be of great value

 

Thanks in advance!



#386 outrageous

outrageous

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:11:17 AM

Posted 20 January 2017 - 11:04 AM

let us know when u try to recover

 

in my case we did edit some tables and scripts from the .MDF file and it is actually look pretty good we managed to atach it into the sql server and it seems to be working

but indeed the sql tool didnt decrypt the .mdf file entirely but if you are lucky you can find the error and get it done



#387 Baumtec

Baumtec

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 20 January 2017 - 11:11 AM

Hi , I received a new RakhniDecryptor tool from Karspersky Support Team and  had sucess to restore my files...

ftp://decrypt_tools_ro:yMyMr6f746k11@data14.kaspersky-labs.com/RakhniDecryptor/1.17.14.1/RakhniDecryptor.rar

Good luck!!



#388 DiegoVe

DiegoVe

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 20 January 2017 - 11:21 AM

let us know when u try to recover

 

in my case we did edit some tables and scripts from the .MDF file and it is actually look pretty good we managed to atach it into the sql server and it seems to be working

but indeed the sql tool didnt decrypt the .mdf file entirely but if you are lucky you can find the error and get it done

 

Best regards

 

I'm currently running the recovery process, it's taking too long because the MDF files is almost 2GB, but it has recovered several tables with data, I'll later let you know more



#389 DiegoVe

DiegoVe

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:17 AM

Posted 20 January 2017 - 11:23 AM

Hi , I received a new RakhniDecryptor tool from Karspersky Support Team and  had sucess to restore my files...

ftp://decrypt_tools_ro:yMyMr6f746k11@data14.kaspersky-labs.com/RakhniDecryptor/1.17.14.1/RakhniDecryptor.rar

Good luck!!

 

Best regards, thanks for the information

 

Which file extension did you have?

 

Thanks in advance!



#390 BWTechUK

BWTechUK

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bristol, UK
  • Local time:10:17 AM

Posted 20 January 2017 - 11:23 AM

Hi , I received a new RakhniDecryptor tool from Karspersky Support Team and  had sucess to restore my files...

ftp://decrypt_tools_ro:yMyMr6f746k11@data14.kaspersky-labs.com/RakhniDecryptor/1.17.14.1/RakhniDecryptor.rar

Good luck!!

What extension were your files locked with? *.wallet?

Edited by BWTechUK, 20 January 2017 - 11:24 AM.





8 user(s) are reading this topic

2 members, 6 guests, 0 anonymous users


    krishnaanhsirk, zetix