Jump to content
Posted 11 October 2018 - 05:09 AM
Posted 11 October 2018 - 06:10 AM
Dharma (CrySiS) with the .gamma extension was reported about a month ago. Like other variants, it is not decryptable without paying the ransom and obtaining the private RSA keys from the criminals.
thanks for your reply; so the file samples I have found aren't useful to recovery or to analyze this ransomware variant?
I can send it if there are something useful.
Posted 11 October 2018 - 09:15 AM
Posted 12 October 2018 - 01:13 AM
We dont know how he did but email@example.com helped us. and he gave us a invoice ( recovery services )
Posted 12 October 2018 - 01:43 AM
It looks like these guys have a little walkthrough on this process (they mention removing AV to avoid re-encryption, etc.): https://www.coveware.com/blog/dharma-ransomware-decryption
Edited by Chocobodul, 12 October 2018 - 01:48 AM.
Posted 12 October 2018 - 05:15 AM
delete encrypted files after decrypt - if you have a working response key it should be no problem - if you untick it you will just end up having double the data (decrypted and encrypted)
overwrite existing files - if there is a file with the same name in the same folder, it will be overwritten.
the boxes should be ticked but ,if the key is not good, you can end up with a corrupt file and also delete the encrypted version. in a legit transaction (payment and reply from the one that infected you), there are usually no problems.
if you have any doubts, you should mirror the files on a backup drive.
Edited by g3rsiu, 12 October 2018 - 05:17 AM.
Posted 12 October 2018 - 06:57 AM
Edited by Chocobodul, 12 October 2018 - 07:02 AM.
0 members, 23 guests, 0 anonymous users