Dharma ransomware (<id>-<id***8 random>.[<email>].dharma) Support Topic

Hello, I've got the same problem.

 

The ransomware was ran on our server and although was ran (probably) under one of limited user accounts, it still encrypted the database of one of information system we use. (Unfortunely whoever use this infosystem, needs to have R/W access to the files and raw database of the infosystem) The problem is I haven't got up-to-date backups (shame on me).

 

The server has Remote Desktop (Terminal Services) and it was used by the attack, I believe the password must have been guessed using bruteforce.

 

Naming example is "desktop.ini.[bitcoin143@india.com].dharma". The ransomware README.txt AND README.jpg is also to be found. I have some original files before encryption available for analysis, etc.

 

I found the file called "Skanda 23.exe" and I believe that is the main ransomware program file. It is accually a SFX archive, that contains files Ripoff.Acm , qiblas.dll and System.dll (in a subfolder).

I tried to ran the Kaspersky tool mentioned here, but with no luck.

 

 

I can offer you my full assistance while solving this problem, I can't say I see any other option now. Thank you for your work in advance.

Yesterday my server got hit the same problem.

 

All of my file got encrypted and rename to  filename.[pay4help@india.com].dharma

My database backup file is also got encrypted. Is there any good tool to decrypt the .bak file?

I have original files of some other encrypted files for any analysis.

 

I appreciate your help

It has been confirmed this is a variant based on CrySiS, but is not decryptable. We suspect someone forked the code and generated their own keys that were not part of the leaked set.

 

https://twitter.com/PolarToffee/status/799289754437165056

Victims can find more information about the original CrySiS variants in this CrySiS Ransomware Support Topic.

Since Dharma is a confirmed new variant which is not decryptable, for now we will keep this as a separate support topic to avoid confusion.

Using a false email account on a temp server I reached out to the email mentioned in the filenames/readme.

I provided a copy of one of the encrypted files for reference as to which site, as there was no ID to be found anywhere.

 

I received a response this morning asking for a file with the extension XTBL, but there are none on this machine. I'm now not sure the perpetrator fully understands what they're doing, or that they are actually capable of decrypting the files.

Hi to all. Here yesterday 8PM (GMT-3) we also had an infection with this "dharma" ransom. No one was using the PC and no pendrive nor email was opened. It just installed itself in a Windows 7 PC with NOD32 updated. I change the extension from a encrypted file to .locked to work with the Kaspersky RakhniDecryptor and it's looking for a key. I'll post if it can find one.

Edited by Pablomasc, 19 November 2016 - 12:42 PM.

Crypto malware (file encrypting ransomware) is typically spread through some type of "user interaction"...opening a malicious email attachment, executing a malcious file, via web exploits, exploit kits and drive-by downloads when visiting compromised web sites. Most infections from exploits are primarily the result of "passive user interaction"...that is the victims were careless or too lazy to update vulnerable software and close the security holes which could have prevented such an infection.

Is there any solution yet?

 

I am also infected with the Darma ransomwere.

Shadow explorer or windows restore do not work, because everything has been deleted.

 

Thank you

Unfortunately, there is no known way at this time to decrypt files encrypted by Dharma without paying the ransom. Our crypto-malware experts who analyze these infections suspect another cyber criminal forked the code and generated their own keys that were not part of the leaked master decryption keys for the original CrySiS variants.

When or if a solution is found, that information will be provided in this support topic and you will receive notification if subscribed to it. In addition, a news article most likely will be posted on the BleepingComputer front page.

This is an analysis of Dharma Crysis ransomware in action. I pulled the virus from a user's profile and submitted to Malwr.

https://malwr.com/analysis/ZjZiNTkzOGE5ZWY5NDkxNmIwZWUwOGZlOTliNWNlZDA/

Any news about the decrypter?

 

I was infected the last friday

See Post #24 above.

Victims can find more information about the original CrySiS variants in this CrySiS Ransomware Support Topic.

Since Dharma is a confirmed new variant which is not decryptable, for now we will keep this as a separate support topic to avoid confusion.

 

Any news about the decrypter?

I just replied to your previous question.

I couldn't find a way to decrypt the files. We restored from a previous backup but I keep the encrypted files in case of a future tool. I'll post here any advance