Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Possible new version of Nemesis/Dharma

  • This topic is locked This topic is locked
1 reply to this topic

#1 Ruben-e


  • Members
  • 16 posts
  • Local time:04:35 AM

Posted 30 May 2017 - 01:32 AM

It all started when I got to the office on Monday morning. Half the files on the server are encrypted!

Up until this point I identified which PC was attacked (our storage server through RDP - on a nonstandard port), yet all I managed to find was a Bitcoin miner (Trojan.Win64.BitMin.ft) through a scan with Kaspersky. The actual ransomware was never detected. I performed a manual search in the system and used ESET, Malwarebytes and Norton - nothing!


Now for the fun part...

It encrypted any file it could access. Here is one example of an encrypted file name:

Asset Register Final.xlsx.id-YYYYYYYYYY_[mk.baraka@aol.com].830s7

Each folder also has a file named ### DECRYPT MY FILES ###.txt


To decrypt your files you need to buy the special software – «Nemesis decryptor»
You can find out the details / buy decryptor + key / ask questions by email: mk.baraka@aol.com

Your personal ID: YYYYYYYYYY


I just censored the personal ID.

https://id-ransomware.malwarehunterteam.com detects this as Dharma(based on the email address), however the ransom note points to Nemesis. It is not either of these since the file name does not contain the .dharma/.nemesis/.wallet extensions


The decryptors for CryptON, Cry9, Cry128, Crysis and Rakkhni do not work.

The encrypted and unencrypted files are exactly the same size. I played around in the hex editor and it is clear that only the file header is encrypted. In an xls file I can still see the data. Copying/manipulating the header allowed me to open and repair one of the .xls files and actually see the spreadsheets and entries - though it took an hour.


I found the miner under C:\Users\<user>\Videos\Intel

Under C:\Users\<user>\Videos I found the ransomware's background image


Inside this folder I also found something interesting...



The log files show Kaspersky Endpoint Security suffered a critical error around the time of the malware infection. This was on a "Limited" user account.

Edited by Ruben-e, 30 May 2017 - 03:28 AM.

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,889 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:35 PM

Posted 30 May 2017 - 05:44 AM

Ruben-e was dealing with CryptON (Cry9, Cry36, Cry128, X3M, Nemesis).

You are dealing with Amnesia.

Fabian Wosar released a decrypter for victims of this infection.However, the decrypter does not work on some of the newer Amnesia variants so they are still investigating and analyzing.

There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.Rather than have everyone with individual topics, it would be best (and more manageable for staff) if you posted any more questions, comments or requests for assistance in the above support topic discussion...it includes experiences by experts, a variety of IT consultants, end users and company reps who have been affected by ransomware infections. To avoid unnecessary confusion, this topic is closed.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users