Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Java NotDharma (.java extension; Decrypt Instructions.txt)


  • Please log in to reply
29 replies to this topic

#16 artazil

artazil
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:32 AM

Posted 16 April 2018 - 11:58 AM

Virustotal certainly doesn't like it: https://www.virustotal.com/#/file/f3c0291f31fd01f3a27e61d010acfa56611eb6e02935741ee9da169eedbc7c66/detection

 

I took your advice: https://www.sendspace.com/file/3hvl6g

Password is virus

 

Thanks again!



BC AdBot (Login to Remove)

 


#17 Amigo-A

Amigo-A

  • Members
  • 568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:32 PM

Posted 17 April 2018 - 04:55 AM

 

OK. I signed it. 

 

Now the researchers have access to it. Maybe something will be learned.
Antivirus engines has sensed the wildfowl.  :clapping:

Edited by Amigo-A, 17 April 2018 - 05:25 AM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#18 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:32 AM

Posted 24 April 2018 - 01:16 PM

Willing to bet they just paid the criminals, lots of "data recovery" companies are doing that without telling the customer, and acting like they are the heroes who broke it.

 

Example: https://twitter.com/SeamusHughes/status/988487142363025409


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#19 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:32 AM

Posted 24 April 2018 - 01:42 PM

Adding to what Demonslay335 stated, Bleeping Computer cannot vouch for those who claim they can decrypt data. We have have no way of knowing the background, expertise or motives of all individuals (or companies) who indicate decryption is possible. We can only advise to be cautious with whomever you are dealing with, what services they are able to provide and what claims they make before sending money to anyone.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#20 Wallak

Wallak

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Zaragoza, Spain
  • Local time:09:32 AM

Posted 16 May 2018 - 02:03 PM

Hi there, we have a customer that was hit by the .java extension ransomware (something like 2180146.pdf.id-EE92A032.[decrypthelp@qq.com].java) with no decryption possible. But I would like to expose something for if someone can work around it.

 

1) Customer was infected via a bad protected RDP access, they deployed a file and encrypted all, they failed on the 2 point

2) We have the EXE that encrypts the files, they forgot to delete it

3) We tested it and we know that it doesn't need Internet to work (so no C&C, works with some KEY created via hardware/OS/etc... combination), we isolated the virtual machine from internet and it encrypted all the files

 

So if someone needs the EXE file to try to help my customer (and probably many others), send me a PM or tell me the place to upload it.

 

Many thanks. Hope we can help to lot of victims.


Wallak (aka Alik)

Меня зовут Алик

 

IT Specialist, SPAIN

 

WEB

 


#21 Demonslay335

Demonslay335

    Ransomware Hunter


  • Security Colleague
  • 3,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:32 AM

Posted 16 May 2018 - 02:21 PM

@Wallak
 
The fact it doesn't need a C2 doesn't really mean anything in regards to its security. It likely uses asymmetric encryption (e.g. RSA), where you can have a static key embedded that is only good for encrypting, and cannot be used to decrypt without the corresponding private key.


logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic]

ransomnotecleaner-25.png RansomNoteCleaner - Remove Ransom Notes Left Behind [Support Topic]

cryptosearch-25.pngCryptoSearch - Find Files Encrypted by Ransomware [Support Topic]

If I have helped you and you wish to support my ransomware fighting, you may support me here.


#22 Amigo-A

Amigo-A

  • Members
  • 568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:32 PM

Posted 16 May 2018 - 02:25 PM

Wallak

This case probably refers to a neighboring topic - real Dharma Ransomware.

They use a known extension pattern that is added to the encrypted files.

 

This email was used by them in January 2018 in the campaign with the extension .[decrypthelp@qq.com].java
Recently the same email has been used in a campaign with the extension .[decrypthelp@qq.com].arrow

 

You can download the exe-file to free services and create a public report:

 
Later attach the links in the next message.

Edited by Amigo-A, 16 May 2018 - 02:30 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#23 Wallak

Wallak

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Zaragoza, Spain
  • Local time:09:32 AM

Posted 16 May 2018 - 02:37 PM

Ok, I uploaded the file, and these are the links:

 

https://www.virustotal.com/#/file/f252d80d6a976641dd4f9010fd1db6e097cd64a37533c6f962ede6a9161d0a82/detection

 

https://www.hybrid-analysis.com/sample/f252d80d6a976641dd4f9010fd1db6e097cd64a37533c6f962ede6a9161d0a82

 

Hope it will help.

 

Dr.Web detects it as Trojan.Encoder.3953, and gives it (according to its web statistics) an 80% of decryption possibilities... will see, I opened a case.


Edited by Wallak, 16 May 2018 - 03:01 PM.

Wallak (aka Alik)

Меня зовут Алик

 

IT Specialist, SPAIN

 

WEB

 


#24 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:32 AM

Posted 16 May 2018 - 02:57 PM

VirusTotal indicates the submitted file is related to Dharma (CrySiS) Ransomware which encrypts files with an id-<id with 8 random hexadecimal characters>.[<email>] followed by the .java extension as you noted in Post #22 (.id-EE92A032.[decrypthelp@qq.com].java).

Unfortunately, it is not decryptable without paying the ransom and obtaining the private RSA keys from the criminals.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#25 Wallak

Wallak

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Zaragoza, Spain
  • Local time:09:32 AM

Posted 17 May 2018 - 05:02 AM

Hi there again, just to say that I sent the encrypted files to an intermediary company and (in less than 12h) they sent me back the files completely recovered. Don't know the way, but the victim will pay (high price) the offered solution, no other way to return to activity for a bad protected company.

 

Best Regards.


Wallak (aka Alik)

Меня зовут Алик

 

IT Specialist, SPAIN

 

WEB

 


#26 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:32 AM

Posted 17 May 2018 - 05:53 AM

Bleeping Computer cannot vouch for those who claim they can decrypt data. We have have no way of knowing the background, expertise or motives of all companies (or individuals) who indicate decryption is possible. We can only advise to be cautious with whomever you are dealing with, what services they are able to provide and what claims they make before sending money to anyone. Our experts have found that some of these ransomware recovery services just pay the criminals, pretend they cracked the decryption and charge the victim (sometimes even more than the ransom demands)...see here. Others may instruct victims to submit one or two limited size files for free decryption as proof they can decrypt the files...many cyber-criminals do the same.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#27 Amigo-A

Amigo-A

  • Members
  • 568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:32 PM

Posted 17 May 2018 - 07:39 AM

Collusion with criminals (scammers, extortionists and others) is a criminal offense, if a certain firm has made such an arrangement and they share with criminals the money received from the victims.
It is possible that in some countries there is no such article about collusion, but it is rather an exception to the rules.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#28 Wallak

Wallak

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Zaragoza, Spain
  • Local time:09:32 AM

Posted 17 May 2018 - 08:35 AM

For sure, some companies have links with criminals, but victims need options and possibilities to survive, not only a "Sorry, no way to decrypt, close your company and business". Ransomware has just become a money laundry in all senses.

 

Sorry to bother you with this resolution case. Best regards.


Wallak (aka Alik)

Меня зовут Алик

 

IT Specialist, SPAIN

 

WEB

 


#29 Amigo-A

Amigo-A

  • Members
  • 568 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:3st station from Sun
  • Local time:12:32 PM

Posted 17 May 2018 - 01:35 PM

 Ransomware has just become a money laundry in all senses.

 

 

Yes, it is true. 

However, it's was also originally with viruses. Some groups created, distributed viruses and infect computers, others cured it, and opposed them, as competitors. So the first anti-virus companies appeared.  :warrior:


Edited by Amigo-A, 17 May 2018 - 01:36 PM.

My projects: Digest "Crypto-Ransomwares" + Anti-Ransomware Project (In Russian) + Google Translate Technology

Have you been attacked by a Ransomware? Report here. Знаете русский язык? Пишите мне на русском. Помогу. 


#30 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:03:32 AM

Posted 17 May 2018 - 02:29 PM

For sure, some companies have links with criminals, but victims need options and possibilities to survive, not only a "Sorry, no way to decrypt, close your company and business". Ransomware has just become a money laundry in all senses.
 
Sorry to bother you with this resolution case. Best regards.

It's not a bother. All victims are welcome to share their experiences in these discussion topics.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users