...I also got hit from this crypton / cry36 variant today from rdp. The file size of original and encrypted is the same though. The files are renamed to filename.id-xxxxxxxxxxxxxx_[email@example.com].b1m74 so it has extension b1m74.
ID ransonmware identifies this as 2 types, as Cry36 and Dharma (Wallet). Dharma only comes from the email that is listed on the filename i guess...
Any files that are encrypted with Cry9
will have a random 5
character hexadecimal extension appended to the end of the encrypted data filename (i.e. .id-1163283255_[firstname.lastname@example.org].08c85
) and leave files (ransom notes) named ### DECRYPT MY FILES ###.txt.
Any files that are encrypted with Dharma Ransomware
will have an .dharma
extension followed by an id-<8 random hexadecimal characters>.[email address] appended to the end of the encrypted data filename (i.e. .id-A04EBFC2.[email@example.com].dharma, .id-480EB957.[firstname.lastname@example.org].wallet, .id-5FF23AFB.[Asmodeum_daemonium@aol.com].onion, .id-EB214036.[email@example.com].zzzzz) and leave files (ransom notes) named README.txt, README.jpg, Hello my vichtim.txt, Your personal data are encrypted!.txt.