Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dharma ransomware (filename.[<email>].wallet/.ceser/.arena) Support Topic


  • Please log in to reply
1675 replies to this topic

#16 kitter

kitter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 18 November 2016 - 04:55 AM

Hello, I've got the same problem.

 

The ransomware was ran on our server and although was ran (probably) under one of limited user accounts, it still encrypted the database of one of information system we use. (Unfortunely whoever use this infosystem, needs to have R/W access to the files and raw database of the infosystem) The problem is I haven't got up-to-date backups (shame on me).

 

The server has Remote Desktop (Terminal Services) and it was used by the attack, I believe the password must have been guessed using bruteforce.

 

Naming example is "desktop.ini.[bitcoin143@india.com].dharma". The ransomware README.txt AND README.jpg is also to be found. I have some original files before encryption available for analysis, etc.

 

I found the file called "Skanda 23.exe" and I believe that is the main ransomware program file. It is accually a SFX archive, that contains files Ripoff.Acm , qiblas.dll and System.dll (in a subfolder).

I tried to ran the Kaspersky tool mentioned here, but with no luck.

 

 

I can offer you my full assistance while solving this problem, I can't say I see any other option now. Thank you for your work in advance.



BC AdBot (Login to Remove)

 


m

#17 bensantom

bensantom

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 18 November 2016 - 10:02 AM

Yesterday my server got hit the same problem.

 

All of my file got encrypted and rename to  filename.[pay4help@india.com].dharma

My database backup file is also got encrypted. Is there any good tool to decrypt the .bak file?

I have original files of some other encrypted files for any analysis.

 

I appreciate your help



#18 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,251 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:03:50 PM

Posted 18 November 2016 - 11:47 AM

It has been confirmed this is a variant based on CrySiS, but is not decryptable. We suspect someone forked the code and generated their own keys that were not part of the leaked set.

 

https://twitter.com/PolarToffee/status/799289754437165056


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#19 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:50 PM

Posted 18 November 2016 - 04:34 PM

Victims can find more information about the original CrySiS variants in this CrySiS Ransomware Support Topic.

Since Dharma is a confirmed new variant which is not decryptable, for now we will keep this as a separate support topic to avoid confusion.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#20 Berserkir-Wolf

Berserkir-Wolf

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New Zealand
  • Local time:10:50 AM

Posted 18 November 2016 - 05:21 PM

Using a false email account on a temp server I reached out to the email mentioned in the filenames/readme.

I provided a copy of one of the encrypted files for reference as to which site, as there was no ID to be found anywhere.

 

I received a response this morning asking for a file with the extension XTBL, but there are none on this machine. I'm now not sure the perpetrator fully understands what they're doing, or that they are actually capable of decrypting the files.



#21 Pablomasc

Pablomasc

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Buenos Aires, Argentina
  • Local time:06:50 PM

Posted 19 November 2016 - 12:42 PM

Hi to all. Here yesterday 8PM (GMT-3) we also had an infection with this "dharma" ransom. No one was using the PC and no pendrive nor email was opened. It just installed itself in a Windows 7 PC with NOD32 updated. I change the extension from a encrypted file to .locked to work with the Kaspersky RakhniDecryptor and it's looking for a key. I'll post if it can find one.


Edited by Pablomasc, 19 November 2016 - 12:42 PM.


#22 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:50 PM

Posted 19 November 2016 - 05:57 PM

Crypto malware (file encrypting ransomware) is typically spread through some type of "user interaction"...opening a malicious email attachment, executing a malcious file, via web exploits, exploit kits and drive-by downloads when visiting compromised web sites. Most infections from exploits are primarily the result of "passive user interaction"...that is the victims were careless or too lazy to update vulnerable software and close the security holes which could have prevented such an infection.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#23 dieter09

dieter09

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 22 November 2016 - 12:51 PM

Is there any solution yet?

 

I am also infected with the Darma ransomwere.

Shadow explorer or windows restore do not work, because everything has been deleted.

 

Thank you



#24 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:50 PM

Posted 22 November 2016 - 05:52 PM

Unfortunately, there is no known way at this time to decrypt files encrypted by Dharma without paying the ransom. Our crypto-malware experts who analyze these infections suspect another cyber criminal forked the code and generated their own keys that were not part of the leaked master decryption keys for the original CrySiS variants.

When or if a solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#25 ChaseAtSolara

ChaseAtSolara

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:03:50 PM

Posted 22 November 2016 - 06:18 PM

This is an analysis of Dharma Crysis ransomware in action. I pulled the virus from a user's profile and submitted to Malwr.

https://malwr.com/analysis/ZjZiNTkzOGE5ZWY5NDkxNmIwZWUwOGZlOTliNWNlZDA/



#26 eze_jm

eze_jm

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Argentina
  • Local time:06:50 PM

Posted 24 November 2016 - 06:40 AM

Any news about the decrypter?

 

I was infected the last friday



#27 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:50 PM

Posted 24 November 2016 - 07:13 AM

See Post #24 above.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#28 eze_jm

eze_jm

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Argentina
  • Local time:06:50 PM

Posted 24 November 2016 - 07:13 AM

Victims can find more information about the original CrySiS variants in this CrySiS Ransomware Support Topic.

Since Dharma is a confirmed new variant which is not decryptable, for now we will keep this as a separate support topic to avoid confusion.

 

Any news about the decrypter?



#29 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,952 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:50 PM

Posted 24 November 2016 - 07:16 AM

I just replied to your previous question.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#30 Pablomasc

Pablomasc

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Buenos Aires, Argentina
  • Local time:06:50 PM

Posted 24 November 2016 - 07:31 AM

I couldn't find a way to decrypt the files. We restored from a previous backup but I keep the encrypted files in case of a future tool. I'll post here any advance






4 user(s) are reading this topic

1 members, 3 guests, 0 anonymous users


    manobc