Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dharma ransomware (filename.[<email>].wallet/.cesar/.arena) Support Topic


  • Please log in to reply
1945 replies to this topic

#1936 EngMarine

EngMarine

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 16 May 2018 - 11:46 AM

i was infected by .bip ransomeware which is one of . dharma family 

 

mail is restoresales@airmail.cc

 

i've tried to send mail to the hacker but it always gives me error massage that the mail is not correct 

 

is that normal ?



BC AdBot (Login to Remove)

 


#1937 Amigo-A

Amigo-A

  • Members
  • 451 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:06:10 AM

Posted 16 May 2018 - 02:02 PM

EngMarine

Try the address beamsell@qq.com

This is same gang. 


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#1938 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:10 PM

Posted 16 May 2018 - 02:47 PM

i was infected by .bip ransomeware which is one of . dharma family 
 
mail is restoresales@airmail.cc
 
i've tried to send mail to the hacker but it always gives me error massage that the mail is not correct 
 
is that normal ?

These email addresses used by the criminals constantly change so it's not uncommon.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#1939 NexRandomGuy

NexRandomGuy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 18 May 2018 - 01:50 AM

We recently got hit by the latest variant (.java), paid the $, got a decrypt tool + key. The decryption process is extremely slow on our legacy hardware but files are decrypting. 

 

I tried copying some of the encrypted files to another machine and running the tool which didn't do anything. 

 

We have approximately 2TB of data to decrypt. The previous 2TB we did took about 5 days. Any thoughts how we could speed it up?



#1940 tigro11

tigro11

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 18 May 2018 - 02:55 AM

very strange thing, haker decrypts them on his machine, so it seems strange that replacing the machine the tool does not work



#1941 NexRandomGuy

NexRandomGuy

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted 18 May 2018 - 03:02 AM

very strange thing, haker decrypts them on his machine, so it seems strange that replacing the machine the tool does not work

 

Unless the decrypt tool looks for a specific file to validate its on the same machine? Maybe a registry entry? File on the filesystem? 

 

Just curious if anyone else ran into this.



#1942 josemaria7

josemaria7

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:10 AM

Posted 18 May 2018 - 03:11 AM

We recently got hit by the latest variant (.java), paid the $, got a decrypt tool + key. The decryption process is extremely slow on our legacy hardware but files are decrypting. 

 

I tried copying some of the encrypted files to another machine and running the tool which didn't do anything. 

 

We have approximately 2TB of data to decrypt. The previous 2TB we did took about 5 days. Any thoughts how we could speed it up?

 

 

They are BAD BAD BAD hackers. 

decripthelp@tutanota.com

 

Bad persone :

 

 

hacker accept decrypt / 0.3 BTC

http://prntscr.com/jjeuup

 

 

hacker get 0.3 BTC and demand more ...

http://prntscr.com/jjevw9

 

 

bleep !!!



#1943 g3rsiu

g3rsiu

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 18 May 2018 - 03:36 AM

very strange thing, haker decrypts them on his machine, so it seems strange that replacing the machine the tool does not work


Send me a private msg with the decrypt exe, the key, and a infected file.

#1944 g3rsiu

g3rsiu

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:04:10 AM

Posted 18 May 2018 - 03:40 AM

 

very strange thing, haker decrypts them on his machine, so it seems strange that replacing the machine the tool does not work

 
Unless the decrypt tool looks for a specific file to validate its on the same machine? Maybe a registry entry? File on the filesystem? 
 
Just curious if anyone else ran into this.

 Arrow Decrypt exe only filters extension and id (not the id in the file name (volume-id)  but the internally coded id of the packer/hacker). No registry activity. if its the same family it should be the same but maybe the java variant is built smarter. if you send me a pm with the decrypter / key / and a ransomed file i can take a look.


Edited by g3rsiu, 18 May 2018 - 05:22 AM.


#1945 Kevin070982

Kevin070982

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted Today, 12:36 AM

Hi Guys i just want to post the solution i found to partly fix my corrupted SQL Database infected by the new *.arrow ransomware. 
Hope it can help others too. 
 
We got infected on 19.05.18 and like other all files are encrypted. 
We only need our SQL DBs back.
So I try some other ways in hope to get at least something. 
 
Find your mdf DB with .arrow ending and make a backup of it (in case the key will be released some day) and rename it to yourdb.mdf.
Then use Stellar Phoenix SQL Database Repair to recover your DB. 
You can now see the restored tables and rows, not all but better than nothing.
Then follow the instructions to save it into your SQL instance or export as cvs.
 
I got 80% of my DB back. 
I think its better than nothing. 

I also tested other SQL recovery tools but the result wasn't good.
 
Hope it will help. 
 
Kevin

Edited by Kevin070982, Today, 12:40 AM.


#1946 johngypsy

johngypsy

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:10 PM

Posted Today, 10:10 AM

hello to all infected only by arrow extension, please share 1-2 encrypted files in order to i can check.

 

Are you still looking for more Dharma/Arrow infection samples?  Let me know if you'd like me to send you an encrypted file or two. 

 

(I tried to send a direct message to you, but it said that you couldn't accept any messages.)






5 user(s) are reading this topic

0 members, 5 guests, 0 anonymous users