Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dharma/Crysis/Unlock92 similar ransomware


  • Please log in to reply
5 replies to this topic

#1 cav21

cav21

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 02 November 2017 - 11:48 AM

Hi all,

 

I have a computer which was infected by a ransomware. All the files has been renamed to [File Name] id-52350DFG.[decrypt.guarantee@aol.com].block and the ransom note shows:

[FILES ENCRYPTED]

all your data has been locked us
You want to return?
write email decrypt.guarantee@aol.com
 
I tried uploading into ID ransomware twice and received 2 different results. Crysis or Dharma at 1st and on the 2nd time, unlock92. I have gone through the other topics on the forum and seems like the ransom notes and file names are different. I have tried running the decryptor for crysis, dharma and unlock92 with no result. I have the copy of the encryptor which surprisingly did not delete itself from the computer. Appreciate if someone can provide some guidance on what to do next. Thank you.


BC AdBot (Login to Remove)

 


m

#2 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:10:44 PM

Posted 02 November 2017 - 01:14 PM

cav21

Pattern of extension id-<id>.[decrypt.guarantee@aol.com].block used Unlock92 Ransomware with September 2017.

 

topic on forum: https://www.bleepingcomputer.com/forums/t/658644/a-way-to-decrypt-block-ransomware/

description of all versions: https://id-ransomware.blogspot.ru/2016/07/unlock92-ransomware-unlock92india.html


Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links


#3 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,243 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:11:44 AM

Posted 02 November 2017 - 02:24 PM

I'm seeing uploads with that extension are getting tagged as the latest CrySiS/Dharma based on the filemarkers, so that leads me to believe it could be that instead.

 

By the way, the CrySiS decrypter is only for older versions where the keys were leaked, and the Unlock92 decrypter is only for the 1.0 version of the malware before they patched the flaws.

 

Can you share a few encrypted files and the ransom note? ID Ransomware deleted them all due to positive identification.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#4 cav21

cav21
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:01:44 AM

Posted 03 November 2017 - 12:03 AM

I'm seeing uploads with that extension are getting tagged as the latest CrySiS/Dharma based on the filemarkers, so that leads me to believe it could be that instead.

 

By the way, the CrySiS decrypter is only for older versions where the keys were leaked, and the Unlock92 decrypter is only for the 1.0 version of the malware before they patched the flaws.

 

Can you share a few encrypted files and the ransom note? ID Ransomware deleted them all due to positive identification.

Where do I share the encrypted files and ransom note? By the way where can I submit the encryptor sample to? 

From what I know ransomware usually delete themselves right after encryption completed. But in my case newly put in removable device will still be encrypted.


Edited by cav21, 03 November 2017 - 12:04 AM.


#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,905 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:12:44 PM

Posted 03 November 2017 - 06:45 AM

Samples of any encrypted files, ransom notes or suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse button.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Amigo-A

Amigo-A

  • Members
  • 220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:10:44 PM

Posted 03 November 2017 - 12:51 PM

.id-49509AB8.[support@decrypt.ws].arena
Email: support@decrypt.ws
 
 
The domain decrypt.ws is not a public email service, as can think. This domain is attached recently to Hostland.ru, but registered in Germany (phone code +49). Previously, the domain decrypt.ws has write up due to the activity of Paradise Ransomware -- email-ransom info@decrypt.ws
 
This means, what those who promoted Paradise or are connected with Dharma or have passed to them.

Need info about Crypto-Ransomware? A huge safe base here!

Digest about Crypto-Ransomwares (In Russian) + Google Translate Technology

Anti-Ransomware Project  (In Russian) + Google Translate Technology and links





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users