Dharma ransomware (.id-[random 8 hex].[<email>].dharma) Support Topic

Hi all !!!

How to be sure that you are clean from the infecction??

Just my files where emcrypted (.bip)... the windows ans programs are all fine.

I'm using:

Adw cleaner +

Malwarebytes in trial mode +

Emsisoft AntiMalware +

Kaspersky virus removal tool.

Is that enough??

For an active antivirus, witch is better: Kaspersky or ESET NOD ???

Thanks !!!

I just formatted everything that got touched, IMHO thats the best way to deal with this crap.

Hi all !!!

How to be sure that you are clean from the infecction??

Just my files where emcrypted (.bip)... the windows ans programs are all fine.

I'm using:

Adw cleaner +

Malwarebytes in trial mode +

Emsisoft AntiMalware +

Kaspersky virus removal tool.

Is that enough??

For an active antivirus, witch is better: Kaspersky or ESET NOD ???

Thanks !!!

 

Most infections have a common vector - RDP attack

 

Change all your passwords on all remote services or tools and try to figure out how they got in if you can. The offline capability of this version and the renting aspect of this tool as a crimeware as a service should also make you ask yourself if it wasn't a inside job. it is not unheard of.

 

About securing your server, i can say that i have implemented this with success:

 

http://www.digitalruby.com/securing-your-windows-dedicated-server/

 

It should slow down RDP attacks but it cant protect you from a bad password or "known" password.

 

as for the infection part, the virus itself doesnt bother that much with persistence or disabling antivirus/security features - it was designed to be a tool more than a virus. its just something the hacker runs as a last step after he has access to your server and has crippled its antivirus manually or using other tools (like process hacker).

 

Hi all !!!

How to be sure that you are clean from the infecction??

Just my files where emcrypted (.bip)... the windows ans programs are all fine.

I'm using:

Adw cleaner +

Malwarebytes in trial mode +

Emsisoft AntiMalware +

Kaspersky virus removal tool.

Is that enough??

For an active antivirus, witch is better: Kaspersky or ESET NOD ???

Thanks !!!

 

Most infections have a common vector - RDP attack

 

Change all your passwords on all remote services or tools and try to figure out how they got in if you can. The offline capability of this version and the renting aspect of this tool as a crimeware as a service should also make you ask yourself if it wasn't a inside job. it is not unheard of.

 

About securing your server, i can say that i have implemented this with success:

 

http://www.digitalruby.com/securing-your-windows-dedicated-server/

 

It should slow down RDP attacks but it cant protect you from a bad password or "known" password.

 

as for the infection part, the virus itself doesnt bother that much with persistence or disabling antivirus/security features - it was designed to be a tool more than a virus. its just something the hacker runs as a last step after he has access to your server and has crippled its antivirus manually or using other tools (like process hacker).

 

Thanks very much for the reply !!! Is it common to this infection on a server come thu a infected computer, whose user had admin rdp saved so he could automaticly connect ???

it is possible - password extract from saved rdp session,keyloger, saved password in a text file on desktop, etc. a hacker could access these but a virus cant traverse a rdp route alone.

 

if you have access to logs you could check if a rdp brute force attack took place and on which user - if RDP is a must, either use a RDP Gateway,VPN or even 2FA or other security measures to prevent unauthorized access.

 

in my opinion, most cases have weak rdp passwords or the password was leaked or reused. since ransomware became so popular, unsafe password practices have begun to bite server "admins" and rdp users in the ass.

the server who was hacked is almost completely emcripted... from there, "he" access the networkshare of the other server and started encript it also, but not so much harm was done, we soon shutted disconected all servers LAN and started the cleanup.

 

I've already disabled all RDP port forwardings and will implement that IP ban that you suggested so i can be protected from inside attacks also.

 

Do you think its safe to access the server by teamviewer (with 2FA enabled) ???

the network shares are enumerated from the server history by the virus automatically. a infected machine infects all that it has access to in this case. no smb attacks are done by the virus. as a form of best practices, evaluate all smb shares and make sure that only authenticated users have access (remove guest or everyone, evaluate shares access on a "do they really ALL need access to it ?" basis ).

 

2fa via external app or sms should be pretty safe.

 

as for the remote app recommendations, i cant make one since it involves more than the security factor - (bandwidth if you run multiple sessions or do you need concurrent access per user as rdp permits on a server, cost of software,size of company/network,  etc.) - whatever solution fits best. just make sure you put the legwork into securing it properly.

 

backup often and, if you use NAS-smb or USB HDD as backup medium, implement a method to get medium offline after the backup job is finished.

Yes... i  definitely removed the owner "domain admin" permission... and will reevaluate the shares permissions... right now, all shares are read only so people can get back to work as we are checking machine-per-machine to be sure the entire network is clean.

 

Thanks for the tips !!! I'll implement this asap in other my clients as well.

 

Last but not least... besides online daily backups for around 30 days work, i have offline backups for the last 6 days, rotating 6 usb hdd, one per each workday and one for the weekend... 5 of them always outside the company...  so data wise i think i'm ok.

I do not understand, you payed to the scammer? and he sends you the decryption tool? Did you receive instruction on how to use it? how to decrypt?

 

One of my company whas hit today for this one and look like a new variant of the ransonware:

 

name of file  + id-08CD347C.jessicavim9wlee@aol.com].bip

 

does anyone know if Eset or Kaspersky are getting around the update of the decryption tool they have for the .dharma?

 

Thanks

 

 

 

I have been touched by .bip encrypt.

 

I want to share all information about my encryption, so may be, someone can use it to create a free decryption tool.

Beware! This scammer (decrypter2018@gmail.com) will never give you back your data. If you pay, he would take 3-4 days to respond and try to convince you for more money.

Don't trust him.

 

 

Information:

 

Scammer: decrypter2018@hotmail.com

 

He begins for 500$ and wants more money.

 

Decryption tool: https://ufile.io/00xhn

Three sample files: https://ufile.io/tyavn

Code send to scammer: https://ufile.io/hsz3k

 

Thanks in advance.

...does anyone know if Eset or Kaspersky are getting around the update of the decryption tool they have for the .dharma?

Only the .dharma, .wallet, .onion variants of Dharma (CrySiS) are decryptable. The master keys for .dharma and the master keys for .wallet and .onion variants were released on BleepingComputer.com in the same manner as the original CrySiS Ransomware keys were released (most likely by one of the developers) back on 11/14/16. Release of the keys for these variants allowed Kaspersky, ESET and avast to create decrypter tools.

Unfortunately, there is no known method to decrypt files encrypted by the newer variants of Dharma (CrySiS) without paying the ransom and obtaining the private RSA keys from the criminals.

 

I do not understand, you payed to the scammer? and he sends you the decryption tool? Did you receive instruction on how to use it? how to decrypt?

 

One of my company whas hit today for this one and look like a new variant of the ransonware:

 

name of file  + id-08CD347C.jessicavim9wlee@aol.com].bip

 

does anyone know if Eset or Kaspersky are getting around the update of the decryption tool they have for the .dharma?

 

Thanks

 

 

 

I have been touched by .bip encrypt.

 

I want to share all information about my encryption, so may be, someone can use it to create a free decryption tool.

Beware! This scammer (decrypter2018@gmail.com) will never give you back your data. If you pay, he would take 3-4 days to respond and try to convince you for more money.

Don't trust him.

 

 

Information:

 

Scammer: decrypter2018@hotmail.com

 

He begins for 500$ and wants more money.

 

Decryption tool: https://ufile.io/00xhn

Three sample files: https://ufile.io/tyavn

Code send to scammer: https://ufile.io/hsz3k

 

Thanks in advance.

 

 

No, i didnt pay... i had offline backups... i only needed to be sura that the "virus" was not around my servers anymore.

I have been hit with this virus.  My files are in this form:

test.txt.id-3A729960.[olivias3vzjscott@aol.com].bip

 

There is a FILES ENCRTYPED.txt that was added that says:

Edited by thedee, 06 August 2018 - 10:04 AM.

 

I have been hit with this virus.  My files are in this form:

test.txt.id-3A729960.[olivias3vzjscott@aol.com].dip

 

There is a FILES ENCRTYPED.txt that was added that says:

all your data has been locked us

You want to return?

write email olivias3vzjscott@aol.com or laurenlyfxecarter@aol.com

 

Is there any decrypt methods for this one?

 

I believe the bad exe that is on my pc that caused this is called "SHAOFAO.EXE" and I think I was infected by them using my Remote Desktop.

 

most likely a new extension / variant. you can pm a link with what you have (quarantine exe and or one encrypted file).

 

and no - most likely no solution yet

 

to be clear - any version/variant/session of the malware uses different keys - there will be no master key unless the sourcecode has a backdoor or flaw to get the keys used. - since its done to be fully offline there should be a way.

 

update - type-o - dip - bip - nothing new here.

Edited by g3rsiu, 06 August 2018 - 10:09 AM.

 

I wanted to inform everyone that there is a previous member who was banned because he was offering decryption services for Dharma ransomware for a fee, which from what I understand was more than the ransom amount.

 

As it is my job to make sure people are not pulling scams on our visitors, I asked him to stop offering these services unless he explained how he was decrypting the files and to prove that he was just not paying the ransom and then charging victims more.

 

He refused to provide any information, even under the conditions that I would not publicly disclose the methods, and was therefore told to stop private messaging people.

 

He continued doing so and was thus banned. Unfortunately, he continues to create new accounts and send people private messages about paid decryption services.

 

Due to this, if you receive messages from anyone stating that they can decrypt recent Dharma ransomware variant, please report the PM or post. This could very well be a scam.

 

Even if they provide a free decryotion or two, this could be nothing more than a deal they have with the ransomware developers, and should not be trusted unless they disclose how they are decrypting the files.

 

first of all i would like to tell that is me who Grinler talking about and i wanted to correct some points on his post;

 

1- I think you have no enough informations about hacker's price, because our price is always less than hacker's price because we are never in contact with developers, we have our own method for decryption as i said you many times before,

2- Of course me and my company want to make money until free solution shared,

3- Dr.Web have been decrypting enc, encrypted and 7 random extensions encrypted files for a fee and they are still doing, did they share their method publicly ? let me answer, NO !! so why i have to share our method ?

4- we have already helped few users from this forum and many users out of this forum for recovery of New Dharma Ransomware (arrow, arena, cesar, java, bip and combo extensions), so if anyone needs help and willing to pay, please send me an email with sample files (scam [at] y a h o o . c o m)

5- Of course we provide sample decrypted files before payment for proof but they should be xls, doc, pdf or photo file, and of course we dont decrypt database and any other important file before payment, because if we do that, customer won't need us after their database file decrypted, Dr.Web doesn't do this too, nobody do that !!

I have been hit with this virus.  My files are in this form:
test.txt.id-3A729960.[olivias3vzjscott@aol.com].bip

As I noted in the other topic where you posted...Dharma (CrySiS) with the .bip extension is not decryptable without paying the ransom and obtaining the private RSA keys from the criminals.