Become a fighter against malware and join the forum at SensorsTech!  The SensorsTech’s forum is the place where you can solve your PC issues and educate yourself about malware. You are welcome to discuss various security topics with our professional team and other users like you! To unlock all features of the forums, you have to create an account. Otherwise, you can only browse the topics without taking part in the discussions. To leave a comment or ask your questions, read our Registration Agreement and create your free account here.


*

voyagerxii

  • *
  • 2
  • +2/-0
      • View Profile
  • Publish
  • Dharma Ransomware - .wallet or [[email protected]]
    « on: November 30, 2016, 03:58:04 pm »
    We have run; malwarebytes, NPE.exe, Kaspersky security scan, and trojan remover 6.9.4. Now I need help decrypting the files it added the above name in the subject of this post. Looks like most files it hit were renamed with the extension like the one in the brackets. Any ideas?
    « Last Edit: February 06, 2017, 05:38:50 pm by Execute »

    *

    Execute

    • *****
    • 227
    • +38/-0
    • Your friendly neighbourhood IT guy
        • View Profile
  • Publish
  • Re: Dharma Ransomeware - [email protected] or [[email protected]]
    « Reply #1 on: November 30, 2016, 05:57:28 pm »
    We have run; malwarebytes, NPE.exe, Kaspersky security scan, and trojan remover 6.9.4. Now I need help decrypting the files it added the above name in the subject of this post. Looks like most files it hit were renamed with the extension like the one in the brackets. Any ideas?

    Hello, @voyagerxii,
    we know of this ransomware.
    You can read more about it in the article titled:
    "New Dharma Ransomware" (.wallet files).

    For now, this version is non-decryptable,
    but know that its previous version,
    thought to be Shade (.xtbl) ransomware
    is decryptable as seen in this article.

    Don't lose hope as the .wallet version could be cracked in the near future.

    Best Regards,
    Execute
    There is no place like 127.0.0.1

    *

    never

    • *****
    • 119
    • +23/-0
    • Network Administrator and Malware Researcher
        • View Profile
  • Publish
  • Re: Dharma Ransomeware - [email protected] or [[email protected]]
    « Reply #2 on: December 01, 2016, 11:06:31 am »
    Turns out a new variant of Dharma ransomware*  has just been discovered,  using the .zzzzz file extension, just like Locky ransowmare does. So far, undecryptable but you can try using data recovery software as an alternative method to restore at least small portion of the data.

    Guilty is the love of The Sin.

    *

    eze_jm

    • *
    • 1
    • +2/-0
        • View Profile
  • Publish
  • Re: Dharma Ransomeware - [email protected] or [[email protected]]
    « Reply #3 on: December 10, 2016, 08:58:42 pm »
    I was infected by this Ransomwere on November (First Version) . If ypu have any news about the decrypter let me now.

    *

    Execute

    • *****
    • 227
    • +38/-0
    • Your friendly neighbourhood IT guy
        • View Profile
  • Publish
  • Re: Dharma Ransomeware - [email protected] or [[email protected]]
    « Reply #4 on: December 13, 2016, 11:44:37 am »
    I was infected by this Ransomwere on November (First Version) . If ypu have any news about the decrypter let me now.

    Hello, @eze_jm.

    Unfortunately, for the moment there is no decrypter available.
    However, if a decrypter is made, we will certainly notify all users,
    who have fallen victim to the ransomware here and on the main website.

    Best Regards,
    Execute
    There is no place like 127.0.0.1

    *

    madden2008

    • *
    • 3
    • +0/-0
        • View Profile
  • Publish
  • Re: Dharma Ransomeware - [email protected] or [[email protected]]
    « Reply #5 on: February 05, 2017, 04:14:05 pm »
    infected with crysis variant dharma uses .wallet extension and a bitcoin reply to @india.com  ... found no way of decrypting the data even after paying them and a company to do the same... any info would be helpful to [email protected]   ...Louis   thankyou

    *

    madden2008

    • *
    • 3
    • +0/-0
        • View Profile
  • Publish
  • Re: Dharma Ransomeware - [email protected] or [[email protected]]
    « Reply #6 on: February 05, 2017, 04:31:42 pm »
    after coming in to a company completely down with the dharma ransom ware .wallet @india.com reply... this is what I know. If you pay them it is not guaranteed the descriptor will work (it did not). The companies out there that promise to do the work with engineers that will find a way of decrypting the files is all over the place with prices from a few thousand to many many thousands. After paying one of them we found that only a partial decryption was accomplished and the most critical data folder was not. So they asked for more money as the decryption on the said folder was different? So we paid again and still have not received the decrypted data as of almost 2 weeks after payment. This experience was and is disheartening and if it was not for the fact that the companies backups did not exist this journey would not have happened. If you have had a similar experience let me know or any relevant information on this variant please reply... meanwhile.... do these ransomware retrieval companies  have a decryption policy or do they try to make deals on thor with the perpetrators to access keys?...????

    *

    Execute

    • *****
    • 227
    • +38/-0
    • Your friendly neighbourhood IT guy
        • View Profile
  • Publish
  • Re: Dharma Ransomeware - [email protected] or [[email protected]]
    « Reply #7 on: February 06, 2017, 05:33:09 pm »
    Hello @madden2008,

    you should not pay such companies, the same way you should not pay the ransomware creators.
    I see business paying, because they need their files to keep the business running, but that should not be an excuse or at least, not the first thing you do. Because in the end, the company will just have spent money for nothing and supported scammers.

    Usually, big AV companies release decrypter programs for free. Companies, which promise to decrypt your files are usually a scam, because:

    1) They use an already free decrypter program and gain money that way.
    2) They cannot decrypt anything, but want to get money from desperate businesses and such.
    3) They do this to get access to keys in hopes of something working out to make a decryptor, but in the end the foremost reason is MONEY.


    Also note, that there is no ransomware that encrypts files in different ways. Ransomware is set to encrypt files in 1 way for all files (unless there is some very rare case that I am not aware of), so you have been lied to, and you should have asked people in cyber security sooner, before paying so much money.

    You might try some Data Recovery Programs - Kovter is an older family of ransomware, so it might have deleted the original files before encrypting them. There is a chance that Data Recovery can restore deleted files unless the disk drives were wiped or re-installed (specifically the volume with the OS on it).

    Also, for whoever may need some tips, check out the topic about ransomware prevention here.

    P.S.: Write back with feedback on what happened and if there is anything else you might need help with.

    Kind Regards,
    Execute
    There is no place like 127.0.0.1

    *

    jtkstc

    • *
    • 1
    • +0/-0
        • View Profile
  • Publish
  • Re: Dharma Ransomware - .wallet or [[email protected]]
    « Reply #8 on: February 20, 2017, 12:18:03 am »
    I was hit by the version named [email protected] and the exe was aamanda.exe. I cannot afford the 7BTC to get the decryption so I am holding files for analysis to help get this solved.

    *

    Execute

    • *****
    • 227
    • +38/-0
    • Your friendly neighbourhood IT guy
        • View Profile
  • Publish
  • Re: Dharma Ransomware - .wallet or [[email protected]]
    « Reply #9 on: February 20, 2017, 02:45:28 pm »
    I was hit by the version named [email protected] and the exe was aamanda.exe. I cannot afford the 7BTC to get the decryption so I am holding files for analysis to help get this solved.

    Hello, @jtkstc.
    You shouldn't pay the ransom price even if you could afford it! It is a good idea to keep your files and wait for a solution. Maybe you could share if there are differences in the ransom note or anything else that might help distinguish the ransomware? It might prove helpful.

    Kind Regards,
    Execute
    There is no place like 127.0.0.1

    *

    madden2008

    • *
    • 3
    • +0/-0
        • View Profile
  • Publish
  • Re: Dharma Ransomware - .wallet or [[email protected]]
    « Reply #10 on: February 21, 2017, 11:24:50 pm »
    so to finish my story after paying bitcoin to the perps.. that did not work... then a deposit to an american specialist who after looking at the encryption wanted a lot of money... then went on a gut call to a European specialist that required two payments as the first try only half was retrieved and finally this weekend after 6 weeks of turmoil we now have all the data. The whole issue here was that the backups were useless and we had no choice but to try all options and yes it did work for us a few thousand later. You are right we should not pay them... what would you do... sink the company.... thats all and well but we have to be realistic here....the company cannot operate so eventually people loose there jobs... and backups now... through the roof...  What would you do????

    *

    Execute

    • *****
    • 227
    • +38/-0
    • Your friendly neighbourhood IT guy
        • View Profile
  • Publish
  • Re: Dharma Ransomware - .wallet or [[email protected]]
    « Reply #11 on: February 22, 2017, 10:29:06 am »
    so to finish my story after paying bitcoin to the perps.. that did not work... then a deposit to an american specialist who after looking at the encryption wanted a lot of money... then went on a gut call to a European specialist that required two payments as the first try only half was retrieved and finally this weekend after 6 weeks of turmoil we now have all the data. The whole issue here was that the backups were useless and we had no choice but to try all options and yes it did work for us a few thousand later. You are right we should not pay them... what would you do... sink the company.... thats all and well but we have to be realistic here....the company cannot operate so eventually people loose there jobs... and backups now... through the roof...  What would you do????

    Hello, @madden2008,
    first of all, I am really happy that you had the luck of getting your files restored - would you mind sharing how did the spicialist recover them? Because the thing that comes to mind is that they charged you the same sum or more than the sum asked by the ransomware, they paid the cybercriminals and got the decryption key and then they gave it to you. That has happened in the past, so I cannot exclude it, yet I am curious to what the specialist told you. (By looking back at the comments, I see that you had the same suspicion yourself, and I didn't see that last line, so I didn't answer.)

    Second of all, I will just repeat what I said above with a little more detail:

    Quote
    you should not pay the ransomware creators

    By paying cybercriminals, you support them financially, you motivate them further to create ransomware, you might be seen as an accomplice as you do knowingly help criminals. Plus, there is no guarantee that you won't get your files encrypted again in the future by the same criminals.

    Quote
    Companies, which promise to decrypt your files are usually a scam

    There are many companies that try to scam people, as harsh it may sound - it is true. I never said that ALL such companies/specialits are such. Again, I am glad you had a lucky strike in your case.

    Quote
    I see business paying, because they need their files to keep the business running, but that should not be an excuse or at least, not the first thing you do.

    Like I said before, I know what is at stake, and that such files keep a business afloat. But paying shouldn't be the very first thing to do. I am speaking in general, that people should first inform themselves on the matter, evaluate their options, try everything that they can for free as a restoration method, and then maybe as a last option pay an engineer or a recovery specialist (who is not known for ONLY recovering files from a ransomware hit, but recovery in general, from disk drives etc).

    As you said yourself, you paid the criminals, after which the company you paid a lot of money to, didn't manage to recover what you needed, and just prolonged the process and milked you for more cash. At the end a specialist recovered the data.

    Now, probably this was the first time you encountered a hit from a ransomware cryptovirus and didn't know what to do, but doing a better research and informing yourself better should have been a priority. Yet again, I don't know exactly what you did and not everybody can provide you with a good insight and know-how about what your options are. Still, I hope you recover that money with your business and treat the situation as a learning curve and getting your company stronger.

    Best Regards,
    Execute
    There is no place like 127.0.0.1

    *

    Execute

    • *****
    • 227
    • +38/-0
    • Your friendly neighbourhood IT guy
        • View Profile
  • Publish
  • Re: Dharma Ransomware - .wallet or [[email protected]]
    « Reply #12 on: May 19, 2017, 03:57:45 pm »
    There is now a DECRYPTION TOOL released for the .wallet variant of Dharma ransomware!

    Check out the instructions for it in the article:
    Decrypt .wallet Encrypted Files for Free (Dharma Update 2017)

    Best Regards,
    Execute
    There is no place like 127.0.0.1

    *

    voyagerxii

    • *
    • 2
    • +2/-0
        • View Profile
  • Publish
  • Re: Dharma Ransomware - .wallet or [[email protected]]
    « Reply #13 on: May 22, 2017, 06:00:08 pm »
    I ran the decrypter program on a small portion of encrypted files and it worked!! I am now going to work on decrypting a larger set of files we had saved in case a decryption program was created that worked. There are a huge set of files we were waiting on to decrypt that will save us a lot of headache in the future. A BIG THANKS goes out to the creators of the decryption program.!!

    *

    Execute

    • *****
    • 227
    • +38/-0
    • Your friendly neighbourhood IT guy
        • View Profile
  • Publish
  • Re: Dharma Ransomware - .wallet or [[email protected]]
    « Reply #14 on: May 23, 2017, 01:18:53 pm »
    Big props to Avast for making the decryptor!

    We are glad that you restored the files successfully. :)
    There is no place like 127.0.0.1

     


    Facebook Comments