Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Java NotDharma (.java extension; Decrypt Instructions.txt)


  • Please log in to reply
29 replies to this topic

#1 artazil

artazil

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 12 April 2018 - 10:10 AM

"One of my servers got hit, I'm not sure if it's a new Dharma variant or not - it doesn't seem to follow the typical file renaming scheme - As an example, "DHCM.png" became "DHCMpng.java".

 

It drops "Decrypt Instructions.txt" everywhere, which contains the following one line: "All of your files are encrypted, to decrypt them write us to email: ffgghtdfg@cock.li"

 

I've run multiple encrypted files through ID Ransomware, and it can't determine what it is. Got the following case #: Please reference this case SHA1: 2068d5bb3525669363924cec1aedb2731693900a

 

I've tried running Kaspersky's Rakhni decryptor on it, no luck.

 

Any confirmation that it's Dharma (or something else) would be most appreciated. Thank you so much.



BC AdBot (Login to Remove)

 


#2 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:55 AM

Posted 12 April 2018 - 10:19 AM

It doesn't look like Dharma from the encrypted file. There's no CrySiS filemarker at the end, so it's either corrupted, or something new.

 

We will need the malware executable itself to analyze. If you can find it, please submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=168


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#3 artazil

artazil
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 12 April 2018 - 10:56 AM

No luck finding it so far.

Some good news: Our management software pulled event log data before it was wiped.

Some bad news: It looks like an old version of Symantec.Cloud Endpoint Protection was running, and quarantined the malware. Because we're not paying for it anymore, we can't check the quarantine.

More bad news: The malware totally defeated Webroot SecureAnywhere, which is what we're currently running.

More bad news: It installed some new services.

Even more bad news: The client's internet connection isn't great, and they decided not to replicate backups off site. Guess what got nuked? Yeah, their backups. We have a system image from 2016, when we built the server, offsite. Looks like we'll be rebuilding from that.


Edited by artazil, 12 April 2018 - 10:56 AM.


#4 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:55 AM

Posted 12 April 2018 - 11:02 AM

Make sure RDP wasn't accessible from outside the LAN. Cuz no antivirus in the world will protect you when someone literally has control of the system.

 

Also, you shouldn't be running multiple antiviruses on the same system.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#5 artazil

artazil
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 12 April 2018 - 11:06 AM

RDP requires network-level permissions, is limited to a few users, and is only available on the LAN - it's totally blocked on the WAN - first thing I checked.

And I agree, the Symantec was a leftover I didn't realize was still running.



#6 Amigo-A

Amigo-A

  • Members
  • 569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:55 PM

Posted 13 April 2018 - 02:55 AM

artazil
Please, upload the original file Decrypt Instructions.txt
 
 
---
 
I on a temporary basis call it Java NotDharma Ransomvare, until there is evidence of a relation with some other Ransomvare.
And I made a link to this topic of the forum.
 
 

Edited by Amigo-A, 13 April 2018 - 05:20 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#7 artazil

artazil
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 13 April 2018 - 09:00 AM

Thank you, Amigo-A.

I've uploaded it here: https://www.sendspace.com/file/z82n9j

This is a nasty one - it killed Shadow Copies, of course, but it also deleted StorageCraft backups permanently.



#8 Amigo-A

Amigo-A

  • Members
  • 569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:55 PM

Posted 13 April 2018 - 11:54 AM

artazil

Thank you. 

I placed out all the information you submitted, including the graphical elements, so that the searchers worked and found it and the victims go to this topic.


My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:55 AM

Posted 13 April 2018 - 03:21 PM

...I on a temporary basis call it Java NotDharma Ransomvare, until there is evidence of a relation with some other Ransomvare.

For now, I changed the topic title to reflect that as well.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 PROCOM

PROCOM

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 AM

Posted 14 April 2018 - 07:49 AM

Hello.

I´ve got .java encrypted files

 

https://www.sendspace.com/file/ueg691



#11 PROCOM

PROCOM

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:55 AM

Posted 14 April 2018 - 09:19 AM

Hello.

More files, photos, instructions and 1st file infected.

 

https://www.sendspace.com/file/3jsqvr



#12 Amigo-A

Amigo-A

  • Members
  • 569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:55 PM

Posted 15 April 2018 - 11:26 AM

PROCOM

Your files are encrypted by Dharma Ransomware
This can be seen from the template, the ransom-note and the file's screenshots
 
FILES ENCRYPTED.txt
all your data has been locked us
You want to return?
write email gettkey@qq.com or xtrachance@qq.com

 

 

Extensions pattern: .id-xxxxxxxx.[gettkey@qq.com].java
Extensions sample: .id-D86B1905.[gettkey@qq.com].java
 
Info.hta
5SBOVvt.png

Edited by Amigo-A, 15 April 2018 - 11:27 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#13 artazil

artazil
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:55 AM

Posted 15 April 2018 - 01:04 PM

I have uploaded the malware quarantined by Symantec to https://www.sendspace.com/file/d6enif

I'm sure you have ways to decrypt it - Hexacorn http://www.hexacorn.com/blog/category/software-releases/dexray/ seems to have worked for me.

I tried uploading decrypted malware, but Sendspace keeps rejecting it.

 

Thanks again.



#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:55 AM

Posted 15 April 2018 - 02:53 PM

@PROCOM

Amigo-A has confirmed your ransomware infection. Please continue in the Dharma Support topic where you posted here. with the same information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#15 Amigo-A

Amigo-A

  • Members
  • 569 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:02:55 PM

Posted 16 April 2018 - 08:05 AM

 but Sendspace keeps rejecting it.

 

 

Before sending malicious files, you need to put them in the archive with the password "virus".

 

Open or explore the file from the quarantine of Symantec, can only in Symantec.  :busy:

For all others it's Mr. Unknown


Edited by Amigo-A, 16 April 2018 - 08:10 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users