Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dharma ransomware (filename.[<email>].wallet/.ceser/.arena) Support Topic


  • Please log in to reply
1818 replies to this topic

#1786 al1963

al1963

  • Members
  • 873 posts
  • OFFLINE
  •  
  • Local time:11:27 AM

Posted 05 February 2018 - 09:58 PM

Hi guys! My company got infected with a variant of the Dharma ransomware. The files have the .write extension. ¿Have you got any updates on decryptors for this kind of attack? Thank you very much in advance for any information.

 

PS: I have got a couple of sample files in case they're any useful.

 

Looking forward to hearing from you,

 

JANG.

@alobien,

add a few encrypted files + a redemption note in the archive at http://sendspace.com, and give us a link in your message.



BC AdBot (Login to Remove)

 


m

#1787 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:27 AM

Posted 06 February 2018 - 06:24 AM

Hi guys! My company got infected with a variant of the Dharma ransomware. The files have the .write extension. ¿Have you got any updates on decryptors for this kind of attack?...

I have not seen that extension used by Dharma (CrySiS).

Did you find any ransom notes and if so, what is the actual name of the note?
Did the cyber-criminals provide an email address to send payment to? If so, what is the email address?

Did you submit (upload) any samples of encrypted files, ransom notes and any contact email addresses or hyperlinks provided by the cyber-criminals to ID Ransomware for assistance with identification and confirmation? Uploading both encrypted files and ransom notes together provides a more positive match and helps to avoid false detections.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#1788 Amigo-A

Amigo-A

  • Members
  • 323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:10:27 AM

Posted 06 February 2018 - 11:38 AM

https://twitter.com/demonslay335/status/958056126943199232

there is .write, to end January appeared


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 


#1789 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:27 AM

Posted 06 February 2018 - 04:31 PM

The variants come out so fast, sometimes it's hard to keep up.

@ alobien

Unfortunately, there is no known method to decrypt files encrypted by the newer variants of Dharma (CrySiS) without paying the ransom. If possible, your best option is to restore from backups, try file recovery software or backup/save your encrypted data as is and wait for a possible solution at a later time.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#1790 Giorgi84

Giorgi84

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:09:27 AM

Posted 07 February 2018 - 11:19 AM

hi all
here is my file

if it is posible please help me

 

https://www.sendspace.com/file/9dd6pu
 


Edited by Giorgi84, 07 February 2018 - 11:20 AM.


#1791 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:27 AM

Posted 07 February 2018 - 01:26 PM

@ Giorgi84

As I noted in the other topic where you posted and to other victims here...there is no known method to decrypt files encrypted by the newer variants of Dharma (CrySiS) without paying the ransom and obtaining the private RSA keys from the criminals.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#1792 caciavar

caciavar

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 07 February 2018 - 04:10 PM

I've contacted a data recovery company who says they have a 97.4% success rate in decrypting files encrypted with the Dharma 2 variant (in my case it's arena). Of course, they want a ton of money to recover the data. Personally, I don't see how they can be successful without the decryption key, which I doubt they have. So I'm not sure how they can claim to have such success. Has anyone been successful with a data recovery company?



#1793 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,560 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:27 AM

Posted 07 February 2018 - 04:25 PM

Bleeping Computer cannot vouch for those who claim they can decrypt data. We are a large site and have no way of knowing the background, expertise or motives of individuals (or companies) who indicate decryption is possible. We can only advise to be cautious with whomever you are dealing with, what services they are able to provide and what claims they make before sending money to anyone. Our experts have found that some of these ransomware recovery services just pay the criminals, pretend they cracked the decryption and charge the victim even more than the ransom demands.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#1794 caciavar

caciavar

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 07 February 2018 - 04:40 PM

Bleeping Computer cannot vouch for those who claim they can decrypt data. We are a large site and have no way of knowing the background, expertise or motives of individuals (or companies) who indicate decryption is possible. We can only advise to be cautious with whomever you are dealing with, what services they are able to provide and what claims they make before sending money to anyone. Our experts have found that some of these ransomware recovery services just pay the criminals, pretend they cracked the decryption and charge the victim even more than the ransom demands.

 

Thanks. It's interesting that recovery service companies would pay the ransom, especially when some claim that you don't pay unless they can recover data. In those cases they would be out of pocket if the hackers withheld the key after the ransom was paid.



#1795 rheiam

rheiam

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:01:27 PM

Posted 07 February 2018 - 11:30 PM

My sample files.. 

 

https://www.sendspace.com/filegroup/Xftqs NnFTI0ruYC2c7TuJxfml2x%2FDFCcv7vIfRJ1575o4NSEqZdXV8lUsaBSbvpd



#1796 rsnetto

rsnetto

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 08 February 2018 - 08:16 PM

I was lazy with my home network and got infected with Dharma Java variant.

 

However, it seems the malware did not finish its job. There are many files left unencrypted (most of them along with a zero-byte "encrypted" pair). I can't login to the system (Windows 7), it requires a password, it was blank before. Looking at the System32 folder (on a Mac, to be safe) I found among the most recent files a hta file with the ransom note and an executable that may be the malware. There may be other leftovers as well that may be of interest.

 

As I kept two or more copies of many files in different drives (I was worried with hardware failure and overlooked malware attacks) many of the unaffected files have also encrypted copies. So I have several GB of encrypted files with their original counterparts.

 

I'd like to know if I could help the experts to develop a decrypter.



#1797 RubenF

RubenF

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 09 February 2018 - 12:25 PM

I was lazy with my home network and got infected with Dharma Java variant.

 

However, it seems the malware did not finish its job. There are many files left unencrypted (most of them along with a zero-byte "encrypted" pair). I can't login to the system (Windows 7), it requires a password, it was blank before. Looking at the System32 folder (on a Mac, to be safe) I found among the most recent files a hta file with the ransom note and an executable that may be the malware. There may be other leftovers as well that may be of interest.

 

As I kept two or more copies of many files in different drives (I was worried with hardware failure and overlooked malware attacks) many of the unaffected files have also encrypted copies. So I have several GB of encrypted files with their original counterparts.

 

I'd like to know if I could help the experts to develop a decrypter.

In the same boat. Every malware has its own version of the decryption key, so there isn't any unique copy, unless we'll get the master key on a server. Experts cannot develop any decrypter for it. It's impossible. My server got hacked on monday and haven't bothered to check the files because I'm pissed that some russian f*cktard broke in my server


Edited by RubenF, 09 February 2018 - 12:27 PM.


#1798 DCollin

DCollin

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 09 February 2018 - 03:11 PM

my company was hit by the Dharma ransomware [info@witchevil.tk]

 

we had some files that were not backed up so we paid for the keys and Evil Witch provided in a timely manner. 



#1799 Amigo-A

Amigo-A

  • Members
  • 323 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:10:27 AM

Posted 10 February 2018 - 05:42 AM

DCollin
What extension did your files receive after encryption?
Is this .java or .write?

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Пострадали от шифровальщика? Сообщите мне здесь. 


#1800 robbie303

robbie303

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:06:27 AM

Posted 10 February 2018 - 08:58 AM

DCollin
my company was hit by the Dharma ransomware [info@witchevil.tk]

we had some files that were not backed up so we paid for the keys and Evil Witch provided in a timely manner. 

 

The computer world thanks you for financially supporting computer criminals.
Your payment is a nice incentive for computer criminals to continue their work of extortion and destruction.
In other word, because you paid them, you are direct responsible for maybe hundredths of future infected PC's.
DCollin: YOU are the actual criminal here.


Edited by robbie303, 10 February 2018 - 09:03 AM.





2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users