Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dharma ransomware (filename.[<email>].wallet/.bip/.cmb/.arena) Support Topic


  • Please log in to reply
2152 replies to this topic

#2146 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:34 AM

Posted 11 October 2018 - 05:09 AM

Dharma (CrySiS) with the .gamma extension was reported about a month ago. Like other variants, it is not decryptable without paying the ransom and obtaining the private RSA keys from the criminals.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


#2147 netengs

netengs

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 11 October 2018 - 06:10 AM

Dharma (CrySiS) with the .gamma extension was reported about a month ago. Like other variants, it is not decryptable without paying the ransom and obtaining the private RSA keys from the criminals.

Hi quietman7,
thanks for your reply; so the file samples I have found aren't useful to recovery or to analyze this ransomware variant?
I can send it if there are something useful.



#2148 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:34 AM

Posted 11 October 2018 - 09:15 AM

Unfortunately, the samples will not be helpful in this case.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#2149 Shadow_Tirtle

Shadow_Tirtle

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:34 AM

Posted 12 October 2018 - 01:13 AM

We dont know how he did but usersuptr@gmail.com helped us. and he gave us a invoice ( recovery services )



#2150 Chocobodul

Chocobodul

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 12 October 2018 - 01:43 AM

It looks like these guys have a little walkthrough on this process (they mention removing AV to avoid re-encryption, etc.): https://www.coveware.com/blog/dharma-ransomware-decryption

Hi all,

Got hit with the .COMBO variant.
We found deleted all Shadow Volume Copies so we cannot restore files with Shadow explorer or similar.
Backups ... well, it was daily but not usefull since at the time backup disk was connected to server and infected too (lesson learned).
Looks like one of remote computers was compromised and then theough rdp server become target. All other computers are fine atm. After week trying to find some solution
we decided to pay up.
We did things according with bellow msg
BEGIN MSG===================
BEFORE decrypting system check your autorun list(and also look at the register). You must delete the virus if you find it!
Reboot your machines(one by one) and look to Task Manager. Does the virus will run again? If no - all is fine.
Scan application (link)
download this file, and add it to white list in your antivirus
Run this application WITH ADMINISTRATOR RIGHTS
Scan local machine (don't move your files - this may compromise the integrity of the decryption process)
Push button "Save to file"
Send us this file with request key
END MSG ====================

Went through process and we are now in phase to insert received decryption key.
However Im not sure in checking (or not) checkboxes ?! (Last picture in text in above link)
Anyone with expirience in this final phase ?
Any help appreciated

Thanks
Choco

Edited by Chocobodul, 12 October 2018 - 01:48 AM.


#2151 g3rsiu

g3rsiu

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:02:34 PM

Posted 12 October 2018 - 05:15 AM

checkboxes are:

 

delete encrypted files after decrypt - if you have a working response key it should be no problem - if you untick it you will just end up having double the data  (decrypted and encrypted)

 

overwrite existing files - if there is a file with the same name in the same folder, it will be overwritten.

 

the boxes should be ticked but ,if the key is not good, you can end up with a corrupt file and also delete the encrypted version. in a legit transaction (payment and reply from the one that infected you), there are usually no problems.

 

if you have any doubts, you should mirror the files on a backup drive.


Edited by g3rsiu, 12 October 2018 - 05:17 AM.


#2152 Chocobodul

Chocobodul

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 12 October 2018 - 06:56 AM

.

Edited by Chocobodul, 12 October 2018 - 07:02 AM.


#2153 Chocobodul

Chocobodul

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:34 PM

Posted 12 October 2018 - 06:57 AM

@g3rsiu
Thanks for your comment. I did disk clonebefore any further actions.

My above question was basicaly because of linked article and more specificaly sentence
“The user is given the option to delete and overwrite the encrypted files in the checkboxes. In our experiences, these boxes need to be checked, otherwise the tool fails to decrypt files”

For those wondering in my case everything went ok. Boxes checked and files are back.

Edited by Chocobodul, 12 October 2018 - 07:02 AM.





23 user(s) are reading this topic

0 members, 23 guests, 0 anonymous users