Jump to content

Recommended Posts


My computer has been infected by a virus, virus and it deletes, but all files have been encrypted under the extension .onion, here a part of the examples: image.jpg.id_1427938014_fgb45ft3pqamyji7.onion

I tested the tools  Cry9, Cry128, CryptON but none can decrypt.

I have read and apparently is a new variation of the dharma according to this text that I relate them:

.onion file virus. The latest variant of Dharma ransomware has been spotted on April 2017. The virus spreads via malicious email attachments, and once victim clicks on an infected attachment, malware sneaks inside the system. On the affected device, ransomware starts system scan and looks for the targeted file types. For data encryption, it uses a sophisticated algorithm that prevents users from accessing their files. Ransomware appends the .onion file extension to the encoded documents, PDFs, video, audio, image files, databases, and other popular file types.

I send you two encrypted files and the respective original files, so also informative send the text file where it is mentioned that all the files have been encrypted.

Thanks a lot!

Oscar Rojas







Link to post
Share on other sites

@Oscar Rojas Your ransomware infection is definitely, Dharma (.onion).  Dharma (.onion) is what replaced Dharma (.wallet).

Any files that are encrypted with Dharma (.onion) Ransomware will have an .[<id_>].onion extension appended to the end of the encrypted data filename and leave ransom notes named -DECRYPT-MY-FILES.txt.

Unfortunately, there is no known way, at this time, to decrypt files encrypted by Dharma variants without paying the ransom, which we do not recommend. You can try data recovery tools such as Recuva or EaseUS Data Recovery Wizard to attempt recovery of your files. Alternatively, you may choose to employ the services of a company that specializes in forensic data recovery.

  • Downvote 1
Link to post
Share on other sites

Moderator actions: thread was cleaned up to clarify and correct a discrepancy, and to remove posts that violate the terms of use.

@Oscar Rojas I initially gave you an incorrect determination as to your ransomware infection.  You are infected with a variant of Cry.  This variant is either Cry128 or Cry9.

Cry9 discussion thread is https://support.emsisoft.com/topic/27231-cry9-invalid-crypton-file-pair/

Cry128 discussion thread is https://support.emsisoft.com/topic/27297-cry128-need-help-q_q/

If you need further information send me a message.

This thread is being closed.

  • Downvote 1
Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...