Become a fighter against malware and join the forum at SensorsTech!  The SensorsTech’s forum is the place where you can solve your PC issues and educate yourself about malware. You are welcome to discuss various security topics with our professional team and other users like you! To unlock all features of the forums, you have to create an account. Otherwise, you can only browse the topics without taking part in the discussions. To leave a comment or ask your questions, read our Registration Agreement and create your free account here.

Probably new version of Dharani/CrySiS ransomware
« on: March 13, 2018, 05:13:50 am »
I got encrypted disk, and all files have a names like this:

Code: [Select]
1.jpg.id-580B7E30.[[email protected]].java
Looks like new version of Dharani/CrySiS ransomware. But rakhnidecryptor from Kaspersky does not recognise and can not decrypt such files. Any idea what I have to do?

If necessary I will send sample of such file via PM, because It is not possible to attach files with such extension.

*

Execute

  • *****
  • 265
  • +45/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: Probably new version of Dharani/CrySiS ransomware
« Reply #1 on: March 14, 2018, 03:15:56 pm »
Hello Piotr,

it is indeed an updated version of the Dharma/CrySiS ransomware virus. It uses the same extension (.java) as the variant in this article:

.java Files Virus (Dharma Ransomware) – Remove and Restore Files

The difference is in the code and the emails given for contact - which are also used as the extension of encrypted files. That's why Rakhni Decryptor doesn't recognise them. Maybe in the future their decryptor will work, but ransomware is ever-changing and this is one of the few ones which is without known flaws in its encryption process.

Unfortunately, there is not much you can do.
You could remove the virus with a security program, reinstall your OS, backup the most important files somewhere in case a working decrypter version surfaces in the future...

Otherwise, you will just have to wait.

Best Regards,
Execute
« Last Edit: March 14, 2018, 03:17:36 pm by Execute »

Re: Probably new version of Dharani/CrySiS ransomware
« Reply #2 on: March 14, 2018, 03:29:49 pm »
So, we have to wait....

*

Execute

  • *****
  • 265
  • +45/-0
  • Your friendly neighbourhood IT guy
      • View Profile
Re: Probably new version of Dharani/CrySiS ransomware
« Reply #3 on: March 15, 2018, 09:58:40 am »
So, we have to wait....

Afraid so... such is the case with most ransomware viruses. The article will be updated if there is a free decryptor and we will notify you in case of any new developments revolving around the ransomware.

Kind Regards,
Execute