Was led to this forum when we were hit with ransomware today. We are scratching our heads on next steps. Here is what I can tell you:
- AV SW was uninstalled leading me to believe we were hacked via RDP
- Trying to open any folder called "bitdefender" or "Avast" would halt windows explorer. Unfortunately we killed a few too many processes without documenting the possible culprits.
- Files are appended with ".id-2559797930_[firstname.lastname@example.org].a97rq"
- The ransom note contains: "*** ALL YOUR WORK AND PERSONAL FILES HAVE BEEN ENCRYPTED *** To decrypt your files you need to buy the special software – «Nemesis decryptor» You can find out the details / buy decryptor + key / ask questions by email: email@example.com
- ID Ransomware identifies this as Dharma.
- CRY128 fails
- CrypON (Nememsis decrypter) fails
- File size difference is 36 bytes. Emsisoft is calling this Cry36 for which there is no known remedy yet.
This is my first time on boards like this. Please let me know what I can do to help my situation. I do have a pair of known good and infected/locked files.