Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dharma ransomware (filename.[<email>].wallet/.ceser/.arena) Support Topic


  • Please log in to reply
1663 replies to this topic

#1651 shane_r

shane_r

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 07 November 2017 - 07:43 AM

Good Day Everyone,

 

Yesterday early morning we got attacked by .Arena, it has infected 3 of my servers (DC & Exchange, SQL, Terminal Server), 2 desktops also all my external HDD which all of my backups was stored, any help or suggestion would greatly be appreciated.



BC AdBot (Login to Remove)

 


m

#1652 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:16 PM

Posted 07 November 2017 - 08:06 AM

Unfortunately, there is no known way to decrypt files encrypted by the .arena variant of Dharma without paying the ransom. If possible, your best option is to restore from backups, try file recovery software or wait for a possible solution at a later time.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#1653 shane_r

shane_r

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 07 November 2017 - 08:13 AM

Thanks for reply, here is my question, I got some applications ie. quickbooks, are they infected also or will i be able to recover the company file and restore it on a new server. also i have an image of my server which was stored on external hdd, it has .Arean extension on it, can i restore the server from bare metal or it has infected as well. thanks again.



#1654 merlin077

merlin077

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 08 November 2017 - 04:10 AM

Hello,

 

as we are encrypted by .arena ransomware (mikecoins@qq.com | dd@airmail.cc) i`d like to ask if anyone had payed the fee (0,73 btc) and actually got the key?

 

Thanks,

merlin



#1655 shane_r

shane_r

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 09 November 2017 - 01:57 AM

They were asking us 1 BTC for every machine, we did not pay them, i managed to recover most of my data, I used Systool Exchange Recovery software to repair my .edb data, i also recovered my quickbooks data as well through the backup i had, as i mentioned before all my backups had .arena extension but when i restore them it was not damaged or encrypted (thank GOD), my next step would be my SQL server which Systool offers a fantastic software to repair SQL data base, but i am hoping it does not get that far and my database is not damaged, i will post an update again.



#1656 Kcrobble

Kcrobble

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:16 PM

Posted 09 November 2017 - 11:24 AM

Ugh.  We got hit by .arena (support@decrypt.ws).  Our backups were there, but not completely up to date and now I need to clean up this server.

 

The problem I am having is that even in safe mode the Windows installer is corrupted or otherwise non-operational.  Anybody seen this and have a solution?

 

-double-ugh, cannot run portable EXEs in safe mode either.


Edited by Kcrobble, 09 November 2017 - 11:58 AM.


#1657 cvictor2002

cvictor2002

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 10 November 2017 - 04:55 PM

Hey folks,

 

Just happened to me as well. Will stay tuned to this topic.

Seems this is the most up to date community, right? Is there any site/forum where people discuss about Dharma? (and .arena)

 

Best regards,

Victor



#1658 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:16 PM

Posted 10 November 2017 - 05:03 PM

When or if a decryption solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#1659 cvictor2002

cvictor2002

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 10 November 2017 - 05:23 PM

Thanks, Bleepin' Janitor.

 

By the way, my encryption "fingerprint" is [VanDamme@aolonline.top].arena

 

Victor



#1660 cvictor2002

cvictor2002

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:05:16 AM

Posted 11 November 2017 - 07:15 AM

I meant quietman7 :)

#1661 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:16 PM

Posted 11 November 2017 - 07:20 AM

You're welcome on behalf of the Bleeping Computer community.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#1662 vcesar1

vcesar1

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:10:16 PM

Posted 14 November 2017 - 04:46 PM

good day to everything. A virus called black.mirror@qq.com.arena entered my system. The hacker left the virus in the session. Can you do something with that?

#1663 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,915 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:16 PM

Posted 14 November 2017 - 05:09 PM

Unfortunately not...see my previous comments in Post #1653.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#1664 neumannu47

neumannu47

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:10:16 PM

Posted Yesterday, 06:05 PM

A customer got the ransomware attack that adds the .arena file extension. Thankfully the only important files they lost are QuickBooks. Since I have a backup, we should be good to go. However, I'm very concerned that I may infect the rebuilt computer if I use a backup from the infected computer. For one, there is a "Tor" icon on the desktop, and I don't think anyone at the customer's business knows what Tor is. Was is likely left behind by the hacker?

My question is, how can I be sure that the virus is not on the backup? What software will find it? I've run MalwareBytes, but it didn't find anything. I only want the QB files from the backup. The computer will be rebuilt from scratch. 






4 user(s) are reading this topic

0 members, 4 guests, 0 anonymous users