Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Damoclis gladius Ransomware


  • Please log in to reply
4 replies to this topic

#1 Caldetron

Caldetron

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 03 July 2017 - 03:09 PM

Hi!
Tried to look for a sticky to know what I'd have to provide here to get most help but couldn't find any.

I've been hit with a ransomware called Damoclis gladius. According to ID Ransomware it's Cry36, but I can't find any information about it other than a separate thread with some guy who just formated his computer as a solution (found here: https://www.bleepingcomputer.com/forums/t/647326/new-ransomware-infected-both-work-and-my-computer-at-home/?hl=%2Bdamoclis). I have no idea where it came from, the computer worked like a charm last night. This evening when I sat down at my computer it had been logged out from Windows and once I logged in I got struck with a HOWTODECRYPTFILES.html in my browser. At first glance it seemed like only pictures and documents were affected. After a reboot more was encryptet, such as exe files and random file types used for certain programs.

Ugh, CryptoSearch found 36258 encrypted folders...

How can I check what malware caused the infection?
Malwarebytes found the following after a scan I did post encryption, which I put in quarantine:
Adware.1ClickDownload
Adware.Elex
Pup.Optional.BitCoinMiner
Pup.Optional.Elex
RiskWare.BitCoinMiner

I understand there is no decryption for Cry36. My question is if I could just backup the files I want to save for future decryption, and if that's all I have to do? Will a fresh installation of Windows be suffice to get rid of the ransomware? I have files encrypted on other drives as well.

There's so much information here, technical too, and I find it a bit overwhelming.

Thanks in advance for the help.



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:00 PM

Posted 03 July 2017 - 04:01 PM

In cases where restoring from back up is not a viable option and there is no free decryption tool, the only other alternative to paying the ransom is to backup/save your encrypted data as is and wait for a possible breakthrough...meaning, what seems like an impossibility at the moment (decryption of your data), there is always hope someday there may be a potential solution.

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes, key data files (if applicable) and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, there is no guarantee it will work properly or that the malware developer will not release a new variant to defeat the efforts of security researchers so keeping a backup of the original encrypted files and related information is a good practice.If ID Ransomware is identifying this as a variant of Cry36, then Demonslay335 must have updated the service after the other topic was started. There is an ongoing discussion in this topic where victims can post comments, ask questions and seek further assistance. Other victims have been directed there to share information, experiences and suggestions.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Caldetron

Caldetron
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 04 July 2017 - 02:23 AM

Thank you for the reply.
I'm a bit confused as to the following: "Any files that are encrypted with Cry9Cry36 will have a random 5 character hexadecimal extension appended to the end of the encrypted data filename". This does not comply with my extension, my files got .damoclis extension.

I'll post in that thread, thank you.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:00 PM

Posted 04 July 2017 - 06:48 AM

If it is new, the malware developers may have changed the extension pattern.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Amigo-A

Amigo-A

  • Members
  • 510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:00 AM

Posted 04 July 2017 - 07:53 AM

 My question is if I could just backup the files I want to save for future decryption, and if that's all I have to do? 

 
Yes, should always create 1-2 backup copies of encrypted files.
You can use CryptoSearch to automate this process.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users