Become a fighter against malware and join the forum at SensorsTech!  The SensorsTech’s forum is the place where you can solve your PC issues and educate yourself about malware. You are welcome to discuss various security topics with our professional team and other users like you! To unlock all features of the forums, you have to create an account. Otherwise, you can only browse the topics without taking part in the discussions. To leave a comment or ask your questions, read our Registration Agreement and create your free account here.

*

BurakNuman

  • *
  • 2
  • +1/-0
      • View Profile
.java ransomware
« on: March 18, 2018, 08:05:19 pm »
15.03.2018 one of my clients has been infected with a new kind of Dharma/Crysis and it seems  like there is no decryption method or application available.
« Last Edit: May 25, 2018, 11:07:39 am by sensadmin »

*

Execute

  • *****
  • 265
  • +45/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: .java ransomware
« Reply #1 on: March 19, 2018, 10:43:33 am »
Hello @BurakNuman

Actually, this looks like a copycat and more of a BTCWare or GlobeImposter variant,
much like the previous copycat which used .Wallet (a Dharma extension) :
.Wallet Files Virus Removal – Restore Data

You can try to recover files using the methods described at the end of the article or try these 2 decryptors outright:

Best Regards,
Execute

*

BurakNuman

  • *
  • 2
  • +1/-0
      • View Profile
Re: .java ransomware
« Reply #2 on: March 21, 2018, 12:29:24 pm »
didnt work unfortunately ...
« Last Edit: May 25, 2018, 11:07:56 am by sensadmin »

*

Execute

  • *****
  • 265
  • +45/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: .java ransomware
« Reply #3 on: March 22, 2018, 09:54:45 am »
didnt work unfortunately ...

That is quite sad... they must have changed the code of the malware or this is yet another copycat that is new and uses the ransom note and interface of the ransomware viruses mentioned in this thread.

What you can try is sending 5 files to be decrypted for FREE.
If they decrypt them, keep both the encrypted and decrypted versions
of the files in case a decryption tool becomes available in the future.



I will try to keep you updated if some new information is found, but if it is indeed Dharma, only its first variant was decrypted and after that the code was changed by the cybercriminals, fixing their errors that allowed researchers to make the decryption tool...

Best Regards,
Execute
« Last Edit: March 22, 2018, 10:05:11 am by Execute »