Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dharma ransomware (filename.[<email>].wallet/.bip/.cmb/.arena) Support Topic


  • Please log in to reply
2188 replies to this topic

#1471 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,908 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:10 AM

Posted 03 June 2017 - 07:05 PM

Any files that are encrypted with the newest variant of CryptON (Cry9, Cry36, Cry128, X3M, Nemesis) will have a random 5 character hexadecimal extension appended to the end of the encrypted data filename (i.e. .id-1163283255_[liukang@mortalkombat.su].08c85, .id-1163283255_[mk.baraka@aol.com].830s7) and leave files (ransom notes) named ### DECRYPT MY FILES ###.txt.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


#1472 Smok3d

Smok3d

  • Members
  • 28 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:06:10 AM

Posted 03 June 2017 - 07:21 PM

Any files that are encrypted with the newest variant of CryptON (Cry9, Cry36, Cry128, X3M, Nemesis) will have a random 5 character hexadecimal extension appended to the end of the encrypted data filename (i.e. .id-1163283255_[liukang@mortalkombat.su].08c85, .id-1163283255_[mk.baraka@aol.com].830s7) and leave files (ransom notes) named ### DECRYPT MY FILES ###.txt.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.

 

Thanks
 

Cheers


Edited by Smok3d, 03 June 2017 - 07:37 PM.


#1473 nsgnc

nsgnc

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 17 June 2017 - 02:06 AM

All my files encryped. extension is .br87r

 

Is there anyone know this ransomware.

 

 

 

*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***
 
To decrypt your files you need to buy the special software – «Nemesis decryptor»
You can find out the details / buy decryptor + key / ask questions by email: mk.rain@aol.com
 
 
Your personal ID: 511107550

 

 


#1474 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,908 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:10 AM

Posted 17 June 2017 - 06:27 AM

All my files encryped. extension is .br87r
 
Is there anyone know this ransomware.
 
 

*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***
 
To decrypt your files you need to buy the special software – «Nemesis decryptor»
You can find out the details / buy decryptor + key / ask questions by email: mk.rain@aol.com
 
 
Your personal ID: 511107550

This is not Dharma...it is CryptON Ransomware which is the same as Cry9, Cry36, Cry128, X3M, and Nemesis.

Any files that are encrypted with Cry9, Cry36, the newest variants of CryptON (Nemesis) will have a random 5 character hexadecimal extension appended to the end of the encrypted data filename (i.e. .id-1163283255_[liukang@mortalkombat.su].08c85, .id-1163283255_[mk.baraka@aol.com].830s7) and leave files (ransom notes) named ### DECRYPT MY FILES ###.txt. Victims can post comments, ask questions and seek further assistance in the below topic.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#1475 gpnikola

gpnikola

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 17 June 2017 - 09:48 AM

So finally i manage to pay them the ransoms 5 btc  (06/12/2017)  (mk.goro@aol.com,mk.goro@india.com)

 

And i get a great Nothing So please spread the news "Never pay the ransoms" Nobody will ever take 

the files back. It is a fraud (forensic theft) from the begging to the END. 



#1476 nsgnc

nsgnc

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:10 PM

Posted 18 June 2017 - 08:12 PM

 

All my files encryped. extension is .br87r
 
Is there anyone know this ransomware.
 
 

*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED ***
 
To decrypt your files you need to buy the special software – «Nemesis decryptor»
You can find out the details / buy decryptor + key / ask questions by email: mk.rain@aol.com
 
 
Your personal ID: 511107550

 

This is not Dharma...it is CryptON Ransomware which is the same as Cry9, Cry36, Cry128, X3M, and Nemesis.

Any files that are encrypted with Cry9, Cry36, the newest variants of CryptON (Nemesis) will have a random 5 character hexadecimal extension appended to the end of the encrypted data filename (i.e. .id-1163283255_[liukang@mortalkombat.su].08c85, .id-1163283255_[mk.baraka@aol.com].830s7) and leave files (ransom notes) named ### DECRYPT MY FILES ###.txt. Victims can post comments, ask questions and seek further assistance in the below topic.

 

Thanks for your reply. my version is probably Cry36. 



#1477 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,908 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:10 AM

Posted 19 June 2017 - 04:47 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#1478 akmalfikri

akmalfikri

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 20 July 2017 - 11:30 PM

Hi guys. Any news regarding mkliukang's .wallet ransomware?

 

UPDATE : Found the decryptors, used both Kapersky and Avast Decryptor but both produced a password protected rar files. Anyone can help?


Edited by akmalfikri, 21 July 2017 - 12:41 AM.


#1479 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,908 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:10 AM

Posted 21 July 2017 - 07:52 AM

Did you try ESETCrysisDecryptor.exe.?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#1480 al1963

al1963

  • Members
  • 893 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 21 July 2017 - 08:24 AM

Hi guys. Any news regarding mkliukang's .wallet ransomware?

 

UPDATE : Found the decryptors, used both Kapersky and Avast Decryptor but both produced a password protected rar files. Anyone can help?

 

Add several encrypted * .wallet files to verify the decryption at http://sendspace.com



#1481 akmalfikri

akmalfikri

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 21 July 2017 - 08:42 AM

Did you try ESETCrysisDecryptor.exe.?

Haven't tried that yet.

 

UPDATED : used this and still asking me the RAR password.


Edited by akmalfikri, 21 July 2017 - 09:01 AM.


#1482 akmalfikri

akmalfikri

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 21 July 2017 - 08:44 AM

 

Hi guys. Any news regarding mkliukang's .wallet ransomware?

 

UPDATE : Found the decryptors, used both Kapersky and Avast Decryptor but both produced a password protected rar files. Anyone can help?

 

Add several encrypted * .wallet files to verify the decryption at http://sendspace.com

 

Here it is : https://www.sendspace.com/file/w632fk

Other files are huge like 6GB and 8GB.



#1483 al1963

al1963

  • Members
  • 893 posts
  • OFFLINE
  •  
  • Local time:04:10 PM

Posted 21 July 2017 - 10:44 AM

 

 

Hi guys. Any news regarding mkliukang's .wallet ransomware?

 

UPDATE : Found the decryptors, used both Kapersky and Avast Decryptor but both produced a password protected rar files. Anyone can help?

 

Add several encrypted * .wallet files to verify the decryption at http://sendspace.com

 

Here it is : https://www.sendspace.com/file/w632fk

Other files are huge like 6GB and 8GB.

 

Esetcrysisdecryptor is a decryptor, not an archiver / extractor.



#1484 mcerdem

mcerdem

  • Banned
  • 223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:10 PM

Posted 21 July 2017 - 10:50 AM

@akmalfikri, could you please share few of your .wallet encrypted files ?



#1485 akmalfikri

akmalfikri

  • Members
  • 5 posts
  • OFFLINE
  •  

Posted 22 July 2017 - 12:08 AM

@akmalfikri, could you please share few of your .wallet encrypted files ?

Here they are. 

https://drive.google.com/drive/folders/0B9mkXwuovrHHWGRiNHJNOTFib2s?usp=sharing






11 user(s) are reading this topic

0 members, 11 guests, 0 anonymous users