Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware on my Home Server


  • This topic is locked This topic is locked
4 replies to this topic

#1 mikehextall

mikehextall

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 13 May 2017 - 04:47 PM

I have ransomware on my Home Server, it has encrypted almost everything, all my music, videos, documents and most distressing, all my family photos. It has also attacked my NAS drive that contained all my back ups.

 

Here are a couple of file names:

 

Server Backup 01-05-2017.rar.id-DA570840.[mandanos@foxmail.com].wallet

IMG_0381.JPG.id-DA570840.[mandanos@foxmail.com].wallet

 

Please help.



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:47 PM

Posted 13 May 2017 - 04:48 PM

It's Dharma, they come in thru bruteforcing RDP. You shouldn't have RDP open to the world, especially with weak passwords.

 

Afraid it cannot be decrypted. Can always try ShadowExplorer and Recuva, but otherwise proper backups are your only option.

 

Dharma ransomware (filename.[<email>].dharma/.wallet/.zzzzz) Support Topic

 


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 mikehextall

mikehextall
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:02:47 AM

Posted 13 May 2017 - 05:20 PM

It's Dharma, they come in thru bruteforcing RDP. You shouldn't have RDP open to the world, especially with weak passwords.

 

Afraid it cannot be decrypted. Can always try ShadowExplorer and Recuva, but otherwise proper backups are your only option.

 

Dharma ransomware (filename.[<email>].dharma/.wallet/.zzzzz) Support Topic

 

When you say "cannot be decrypted" are you saying for ever or just at the moment until a solution is found?



#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,511 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:08:47 PM

Posted 13 May 2017 - 05:24 PM

It's cryptographically secure, can't be broken. Your only chance is if the master key is leaked like CrySiS and the .dharma variant were, or if law enforcement seizes it from the criminals. I wouldn't put your money on it, but there's always a chance hopefully in the future. That's why backups are so darn important.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,474 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:47 PM

Posted 13 May 2017 - 06:38 PM

Whether you can recover (decrypt) your files or not depends on what ransomware infection you are dealing with and a variety of factors. All crypto malware ransomware use some form of encryption algorithms, most of them are secure, but others are not. The possibility of decryption depends on the thoroughness of the malware creator, what algorithm the creator utilized for encryption, discovery of any flaws and sometimes just plain luck. Newer ransomware variants use a public and private key system where the public key is used to encrypt and the private key is used to decrypt. The private key is stored on a central server maintained by the cyber-criminals and not available unless the victim pays the ransom or at some point, law enforcement authorities arrest the criminals...seize the C2 server and release the private RSA decryption keys to the public. In some cases, the cyber-criminals, for whatever reason, choose to release the master keys after a period of time.

Dr.Web statistics show that the probability of restoring files compromised by encryption ransomware doesn't exceed 10%. That means that most of user data has been lost for good!

Dr.Web: Encryption ransomware - Threat No. 1

In cases where there is no free decryption fix tool and victims are not willing to pay the ransom, the only other alternative is to backup/save your encrypted data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution.

Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above Dharma Ransomware support topic discussion. To avoid unnecessary confusion, this topic is closed.

Thanks
The BC Staff
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users