Dharma ransomware (<id>-<id***8 random>.[<email>].dharma) Support Topic

When first infected with ransomware, one of the first things we advise is to create a copy or image of the entire hard drive. Doing that allows you to save the complete state of your system (and all encrypted data) in the event that a free decryption solution is developed in the future. In some cases, there may be decryption tools available but there is no guarantee they will work properly since the malware writers keep releasing new variants in order to defeat the efforts of security researchers.

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, they do not always work correctly so keeping a backup of the original encrypted files and related information is a good practice.

Is there a history of file decryption after a few months of the initial infection by ransomware?

Is there any way to recover my files, maybe with a program like RECUVA ?

 

For now i will clone my C: drive (os drive) to a second drive on my computer.

Then i will format the c drive and reinstall windows.

Is it possible that the ransomware will come back? from the clone of the c drive?

Because i did not find any corrupt files or did not delete anything.

 

After that i just wait, because maybe someday a decrypter wil come out and i can have my files and pictures back?

As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups. These types of infections typically will delete all Shadow Volume Copies so that you cannot restore your files via System Restore, native Windows Previous Versions or using a program like Shadow Explorer. But it never hurts to try in case the malware did not do what it was supposed to do...it is not uncommon for ransomware infections to sometimes fail to properly delete Shadow Volume Copies. In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work.

As with most ransomware infections...the best solution for dealing with encrypted data is to restore from backups. These types of infections typically will delete all Shadow Volume Copies so that you cannot restore your files via System Restore, native Windows Previous Versions or using a program like Shadow Explorer. But it never hurts to try in case the malware did not do what it was supposed to do...it is not uncommon for ransomware infections to sometimes fail to properly delete Shadow Volume Copies. In some cases the use of file recovery software such as R-Studio or Photorec may be helpful to recover some of your original files but there is no guarantee that will work.

Thank you for the answer.

 

as for the backups. My antivirus did not find any corrupt files, so if i clone my drive to another drive on my computer en reinstall windows, it is not possible that the dharma virus reinstalls itself?

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, they do not always work correctly so keeping a backup of the original encrypted files and related information is a good practice.

Most crypto malware ransomware is typically programmed to automatically remove itself...the malicious files responsible for the infection...after the encrypting is done since they are no longer needed. The encrypted files do not contain malicious code so they are safe. Unfortunately, most victims do not realize they have been infected until the ransomware displays the ransom note and the files have already been encrypted. In some cases there may be no ransom note and discovery only occurs at a later time when attempting to open an encrypted file. As such, they don't know how long the malware was on the system before being alerted or if other malware was installed along with the ransomware. If other malware was involved it could still be present so be sure to perform full scans with your anti-virus.

If your antivirus did not detect and remove anything, additional scans should be performed with other security programs like Malwarebytes Anti-Malware, HitmanPro and Emsisoft Anti-Malware. You can also supplement your anti-virus or get a second opinion by performing an Online Virus Scan...ESET is one of the more effective online scanners.

have a PC that I just use  as a Live monitor for my cameras(synology survielance station). Connect to it through RDP when i need to access it. Nothing really installed on it.

 

Logged into it today to see my wallpaper changed saying bitcoin143 blabla. Two instances of "Skanda 23.exe" running. 

 

I know most times ransomware froma n email attachment or some website.. but litterly dont do anythign but surveillance station on the machine. 

 

side note: only reason I RDPd in was cus it was doing a windows update and it hanged configured so i did a physical reboot of pc then logged into it to see that nice wallpaper. I rdp into a admin account my synology webbrowser only displays on a nonadmin account(and that user profile didnt have a notice. My only guess is its RDP how it came in... not too sure

Just picked up a brand new client.  As such, we haven't completely gone through their systems to find all the "issues."

 

Woke up today to an alert that several of their servers were offline.  One of their servers (Which is a Hyper-V host, DC and file server, don't get me started) ran out of space.  Probably the best part in all of this.  Scariest part - no backups at all (Don't ask, item #1 on the top 100 issues we found so far.)

 

It ran out of space because they had the box open to the world via RDP and also had weak passwords on some AD accounts.  Looks like someone got in and unleashed this new Dharma ransomware.

 

I wanted to upload some files here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) because I have to imagine we're in a somewhat unique situation in that we "caught" the malware running and it A) didn't complete encrypting files and was still running and the executable(s) existed.

 

So I found acrotray.exe in the offending user's startup folder under the start menu.  It was still running as the user (even though I logged the user out and then locked the AD account.)  Couldn't kill the process.  Ran process explorer and it had a few hundred threads running including some hooks in to system and lsass.  It was also running chrome.exe from the user's appdata/local/google folder.  That had been running for days and I also couldn't kill this process.

 

Rebooted the server and neither process restarted, but both files still existed.  I did some diagnosis on the server and found LOTS of the how to repair files in various folders, as well as encrypted files.  Here's the kicker - it APPEARS since the process didn't finish, it never deleted the original files (In most folders.)  So while the files were encrypted, I still have most of the originals.  Only one folder had its original files deleted and it may not even be an important folder.

 

So I've uploaded an ico file that was encrypted and zeroed out. Also uploaded the acrotray.exe and some chrome files.  Let me know if there's anything else I can provide whether files or info.

 

Did reach out to the hackers (worm01@india.com) and they want 2 bitcoins today, 3 tomorrow, 4 the next day.  FYI.

@PatDTS

Very interesting case, glad you could hopefully recover some data. You may also luck out on Shadow Copies (ShadowExplorer is easiest to use for that) if it never got to the end.

I'm afraid this one has already been deemed as non-decryptable, so we don't really need the before/after anymore.

Hopefully they don't drag their feet on your recommendations now, should be a kick in the rear to show how lacking their previous IT was. I've been there, done that with several customers.

A new variant has been identified with the pattern ".[<email>].wallet".

Today our SQL server has been infected, all filles, except windows and programs folders, but in "C:\" I found a folder called "data" in there's a few files with rare names, one name "crypkey.bin",  anyone has the same folder? is this a way to decrypted my files? any tool to do it? 

 

 

Thanks a lot

Unfortunately, there is no known way at this time to decrypt files encrypted by .Dharma or .Wallet variants without paying the ransom. Our crypto malware experts who analyze these infections suspect another cyber criminal forked the code and generated their own keys which were not part of the leaked master decryption keys for the original CrySiS variants.

A new variant has been identified with the pattern ".[<email>].wallet".

@Demonslay335, we got the pattern .wallet. I already submited a copy before/after file and a suspicious .exe file. in my case AVAST and Malware-bytes were not able to detect/remove this ransomware variant. :-(

Another variant seems to be trying to spoof Locky by using ".[<email>].zzzzz". Note that the original filename is not renamed like the real Locky; ID Ransomware will naturally tell the difference for victims.

 

https://twitter.com/demonslay335/status/803641024346144768

Edited by Demonslay335, 29 November 2016 - 02:22 PM.

The Locky variant uses five z's (.zzzzz) not six, unless your posting above is a typo with an extra z unlike the twitter link.