JesseK

Infected with .cesar aka Dharma/CrySiS ransomware

Recommended Posts

I believe I have cleaned the system, but it is now unable to boot, likely due to system files being rename to .cesar once I reboot into safemode. Beyond that, I have tried decryption tools that work on previous versions of this virus to no avail.

Should anyone be interested, I have a rar passworded file of one of the .exe's I found prior to deleting it. I also have a few encrypted files available should someone want to take a look at them. (nothing confidential)

Any suggestions?

Note: being unfamiliar with the rules, I have abstained from attaching any files here, but can provide links if requested.

Share this post


Link to post
Share on other sites

Older decrypters for Dharma were based on master decryption keys that were released on the BleepingComputer forums. There's been a spike in the last few days of new reports of Dharma infections that rename files with the .cesar extension, and with this new waves on infections I would expect that existing decryption tools would not be able to decrypt files.

It might take some time for analysis, however I expect that this new variant of Dharma is not going to be decryptable.

Share this post


Link to post
Share on other sites

I can't say I'm surprised. But that is disappointing coming from you. Oh well, at least I caught it when I did. Sadly it got ahold of some of my NAS files since the drives were mounted. All because I wanted to be lazy and make my password stupid easy. Took less than 3 days to get RDP'd into and left with this mess. 

Share this post


Link to post
Share on other sites
7 minutes ago, JesseK said:

All because I wanted to be lazy and make my password stupid easy. Took less than 3 days to get RDP'd into and left with this mess.

Yeah, long passwords can be a pain in the neck, but in the end its worth it to have long and complex passwords. I usually recommend passwords that are a minimum of 25 characters long, and are made up of completely random characters (a combination of lowercase letters, uppercase letters, numbers, and symbols is best).

It might also be a good idea to hide sensitive services such as RDP behind a VPN, that way the RDP port doesn't need to be open in the firewall. This is especially useful if you need to have access to multiple computers on the network via RDP, of multiple services on the same computer, or simply want to just leave the VPN connected all the time for quick access to RDP.

Share this post


Link to post
Share on other sites

I generally have decent passwords, but this particular early morning I made it the stupidest thing you could, without even considering this possibility. I was working 2am to 10am and was tired of typing it when my machine timed out. Lesson learned. Spent 3 days changing my online passwords and dealing with fraud. Good times. 

Funny thing is, I'm the guy people look to for tech help/advice. Smh. 

Share this post


Link to post
Share on other sites

From what I am being told, this appears to be the same old Dharma that someone edited to add new keys to. It doesn't even appear to be made/distributed by the same people.

Share this post


Link to post
Share on other sites

Well that's fun. 

To confirm, this can only run on windows right? Aside from the encryption, is there any reason I should be concerned with my NAS? (Synology) 

Share this post


Link to post
Share on other sites
On 8/19/2017 at 6:39 PM, JesseK said:

To confirm, this can only run on windows right?

As far as I am aware the Dharma ransomware only infects Windows computers.

There have been ransomwares for MacOS, Linux, and Android devices, however a ransomware will generally only stick to one platform. Generally your target is different when you're writing malicious software for Linux (usually web servers running Linux), and so a Linux device on a home network wouldn't be infected by a Windows ransomware.

Share this post


Link to post
Share on other sites

2 of my Windows server and Buffalo NASs got infected because some user used some super obvious simple password for RDP. I managed to recover Windows server using backups. Any idea how to recover those files on Buffalo NAS?

Some sites mentioned using recovery software might help. Any thoughts?

Share this post


Link to post
Share on other sites
47 minutes ago, ruriimasu said:

2 of my Windows server and Buffalo NASs got infected because some user used some super obvious simple password for RDP. I managed to recover Windows server using backups. Any idea how to recover those files on Buffalo NAS?

Some sites mentioned using recovery software might help. Any thoughts?

The recovery software would really only be successful if your storage array was 50% or less full. When the files are encrypted they are overwriting free space. After encrypting they delete the non encrypted files. So, if you're like me, and have less free space than 20% your likelihood of recovering it with file recovery software is very low. That's why I'm not likely going to bother going that route. Either I wait and hope for decryption, or consider it all lost. Thankfully my wedding photos aren't on that NAS yet. Good luck!

Share this post


Link to post
Share on other sites
3 minutes ago, JesseK said:

The recovery software would really only be successful if your storage array was 50% or less full. When the files are encrypted they are overwriting free space. After encrypting they delete the non encrypted files. So, if you're like me, and have less free space than 20% your likelihood of recovering it with file recovery software is very low. That's why I'm not likely going to bother going that route. Either I wait and hope for decryption, or consider it all lost. Thankfully my wedding photos aren't on that NAS yet. Good luck!

Oh. Mine is 99.7% full. Bummer.

I hope they come up with a decryptor soon. In the meantime, what else can I try? Or do I just save my efforts for some other work since this leads to nowhere.. for now?

By the way, the one that hit my side has a payfordecrypt.qq.com address.

Share this post


Link to post
Share on other sites
1 hour ago, ruriimasu said:

Oh. Mine is 99.7% full. Bummer.

I hope they come up with a decryptor soon. In the meantime, what else can I try? Or do I just save my efforts for some other work since this leads to nowhere.. for now?

By the way, the one that hit my side has a payfordecrypt.qq.com address.

Then you don't have much wiggle room for recovery. As for what else to try, I really don't know. Unless you backup your NAS to archive drives, you're pretty much in my boat. 

Share this post


Link to post
Share on other sites

Am I totally hosed with this or is there some hope.  SBS2008 64Bit server basically streaming movies and file storage with tons of family pictures and movies.  8tb RAID.

Not sure what happened was fine two days ago and now locked with the .cesar stuff.  I am figuring RDP.  Might have 20% free space.  Do I just wait it out and find a decryption program?  I contacted them for the sake of it to see what they want.  [email protected] and [email protected] were the two email addresses in the info.

Share this post


Link to post
Share on other sites
1 minute ago, Scott1974 said:

Am I totally hosed with this or is there some hope.  SBS2008 64Bit server basically streaming movies and file storage with tons of family pictures and movies.  8tb RAID.

Not sure what happened was fine two days ago and now locked with the .cesar stuff.  I am figuring RDP.  Might have 20% free space.  Do I just wait it out and find a decryption program?  I contacted them for the sake of it to see what they want.  [email protected] and [email protected] were the two email addresses in the info.

I ran a domain whois on the email address domain for the culprit I found. I then sent a notification to the owner of the domain as well as the hosting company who owns the domain. Not that it will help, but you may consider doing the same. 

As for the decryption programs, none currently will decrypt Cesar. I sent the Trojan exe and a few encrypted files to Kaspersky in hopes they can figure it out. I'm not holding my breath. 

My current approach is to ignore the damage and wait and see. It sucks, but I'd rather my data be encrypted than them have it. They might have copied some, but hopefully not. 

You probably want to check your PayPal, Amazon, and Visa Checkout accounts to make sure no fraudulent purchases were made. They connected to me via RDP as well and all of my passwords were saved, so they were able to make certain purchases.

Share this post


Link to post
Share on other sites

I will have to check but I do not think anything was even linked but I will do that now.  I kinda wonder how they even got in to the server.  Hopefully they reply and I can see what they want. I am on the fence. I want the files back.  Once I do that I can just disconnect the internet and be done with it.

I wonder I got a spoof phishing email bout me buying Google gift cards but it was on my android phone and I only check the transaction ID link so I doubt that did it....

When did you get hit.  Mine was after Saturday.

Share this post


Link to post
Share on other sites
8 minutes ago, Scott1974 said:

I will have to check but I do not think anything was even linked but I will do that now.  I kinda wonder how they even got in to the server.  Hopefully they reply and I can see what they want. I am on the fence. I want the files back.  Once I do that I can just disconnect the internet and be done with it.

I wonder I got a spoof phishing email bout me buying Google gift cards but it was on my android phone and I only check the transaction ID link so I doubt that did it....

When did you get hit.  Mine was after Saturday.

About a week ago today I think. 

Share this post


Link to post
Share on other sites

I think mine was hit around the same time.  Very disappointed that there is nothing out there yet to help.  Not sure what I should do.

I do see Emsisoft has server products at resonable price so that is good.  Wish they had a decryptor though :(

Emsisoft how do we help you help us fix this problem so other can be saved along with us??

Share this post


Link to post
Share on other sites
12 hours ago, Scott1974 said:

I think mine was hit around the same time.  Very disappointed that there is nothing out there yet to help.  Not sure what I should do.

I do see Emsisoft has server products at resonable price so that is good.  Wish they had a decryptor though :(

Emsisoft how do we help you help us fix this problem so other can be saved along with us??

As GT500 said he doesn't really think this iteration will be cracked. The original version had its keys made public which is how the decryptor was made. This version  was modified to have different encryption keys which may never be released. 

I presume if someone were to pay for the ransomware decryption the instructions on how to decrypt might be useful. But who knows if paying will actually get you what you're trying to buy. Obviously these people are shady. 

Share this post


Link to post
Share on other sites

Has anyone determined if the Stellar solution works at least getting some of the files back?  It seems like all the information online suggests that.  I am not sure if I should just park the stuff and wait or attempt fixing.  The hackers in my case wanted 1500 but like you say no guarantee of anything.  Btw which country are you in? Wondering how it was spread or at least selected...especially my box.  Nothing commercially important on it.

Share this post


Link to post
Share on other sites

California. 

My guess is they just do a port scan for an open 3389 on a range of IPs and then brute force it. Chances are they already knew I had 3389 and when I made my password easy it just let them in. It took from Saturday to a Tuesday for them to get in once I changed my password.

I'm on vacation so haven't looked into any solutions since the first couple days. Once I found out it was showing up in the wild in August I figured it was going to a while before the solution came out, if at all. 

It'd be wise to make backups before testing decryption tools on your files. Or at least try on files you know aren't important and can stand to lose. I've read of decryption attempts potentially ruining files. 

Share this post


Link to post
Share on other sites

I'm in Ontario and the only thing I can think of that happened is the same one you did.  They brute force it open based on the domain name or some other thing that got their attention.  I am hoping that something will pop up.  It is a variant so something might float to the surface.   How did the other Keys get posted? Somebody found them or a guy just decided to release them?

 

I am planning on just doing some junk files first.  Probably copy they off to a stick or something. Gotta start to try stuff.  I am hoping this crew will eventually help.  I put in request for help on at least cleaning the virus off the system.  All may data is on a RAID so the files are still there just encrypted.

 

We definitely need to keep in touch.  I tagged notifications here.  Would share a contact email but too public.  Maybe another way.

Share this post


Link to post
Share on other sites

Removing the infection isn't the issue. For me, I slaved the drive to my laptop and scanned. Found about 6 traces of it. Copied one of the exe files since they apparently are helpful. 

Another thing I noticed is they used my run command line to launch cmd. So I'm 100% certain it was an RDP attack. They were in my email and even deleted order confirmations then emptied the deleted items so I couldn't see everything they tried. 

The previous version had the keys posted by a random who I don't think was tied to any group, hacker or other. So those infected got lucky. 

I'll definitely update this thread if I make any progress. 

Share this post


Link to post
Share on other sites

My system never had email in it per say it was all a web based login and I never save my passwords automatically.  Never trusted it.  The only stuff on it were movies a few programs and mostly pictures and archived videos of trips and family stuff.  It sounds like they were buying stuff on your accounts? Was yours a main system and not just a file server?

 

How could you tell they were in the CMD line doing their dirty work?  I am not an IT star.  My company is full of them...large central department plus DST people.  One admins friend was hit the last time paid 200 and got nothing.

Share this post


Link to post
Share on other sites

They only got to my NAS because my drives were mounted to my workstation. To the Trojan/virus they were local drives and it attacked them. It didn't care that they were running on a Linux box. This was my main home computer which is(was) on 24/7.

Share this post


Link to post
Share on other sites

That truly sucks.  Similar to me just Linux mine were the storage the base drive was a small dinky SSD to do the pass through.  Explains the email issues.  I changed most of passwords already and have been checking accounts frequently.

Kind off wondering if I could claim this disaster on insurance doubt it.   Your email address was a different one than mine and it just went live so I suspect more will get it and then more attention for a possible cure.

You just threw your boot drive in an enclosure and checked it on an outside box to clean it?

Share this post


Link to post
Share on other sites

Essentially, yes. The encryption ruined my boot information when trying to go into safe mode. So I never did see a ransom message at all. If you slave it no autoruns will launch the virus so it's pretty safe. If you do this, try to quarantine or save all the files that are detected. They might come in handy to someone who can help. 

Share this post


Link to post
Share on other sites
33 minutes ago, jojocynthia said:

infected with .cesar from [email protected] and asking for 1BTC... will not pay. lost all data and verry interested to find a war to decrypt files...

Sorry to hear. Time will hopefully heal these wounds! 

Share this post


Link to post
Share on other sites

Hi there,

 

we've caught an Infection, too.

Aside the very obvious fact that a lot of files are encrypted und end with .cesar;

HOW CAN I FIND OUT IF THE BLOODY THING IS STILL "ALIVE" in my system after reboot?

So far I find nocht at all in taskmanager that's out of the ordinary. Also ZERO (or almost)  CPU Power...

No notes on how to decrypt.

Not .exe - or I don't know where to look at....

 

Any Ideas?

 

Share this post


Link to post
Share on other sites

I would hold off doing anything for now I think.  My plan which the IT folks here think is best so far is to pull the boot drive and the RAID drives and just hold them.  As long as I duplicate the RAID card settings / configuration I can throw them back later on.  Rebuild from scratch with new drives and OS this time upgrade to the latest version.

I will be putting a dedicated hard firewall up this time.  We use Fortinet products and they gave me the daily report.  We are hit over 2000 times with RDP brute force a day.  Multiple sites botnets it is a joke.  I honestly think the best thing would be to outlaw or ban Bitcoin then there would be no incentive to do this stuff.

I would like Emissoft to ask what files or information we can provide them to help.  This appears to be spreading somewhat fast.

If I am building a new box I would like a good reasonably priced anti-malware program.  I asked sales here which is best bit have heard nothing so far.

Share this post


Link to post
Share on other sites

Any news?  Got a follow up email asking for even less now from the original guy and a follow up email to my work say I was filmed and they were going to contact people from my contacts.  Interesting stuff as I do not have any web cams at all....

Spanish name with an email address hosted in a Russian server. 

Share this post


Link to post
Share on other sites
On 8/22/2017 at 9:22 PM, ruriimasu said:

... Any idea how to recover those files on Buffalo NAS?

Some sites mentioned using recovery software might help. Any thoughts?

If you can take the hard drives out and connect them to a computer, then that might be possible. Just don't use the drives until you can do that. It can depend on how the files were overwritten when they were encrypted, and in most cases file recovery software won't help.

 

On 8/22/2017 at 10:17 PM, ruriimasu said:

I hope they come up with a decryptor soon.

The only reason there was a decryption tool for the older variants of this ransomware was due to someone releasing the master decryption keys publicly on BleepingComputer.com's forums. If someone is kind enough to do that with this new ransomware, then it will be possible to update existing decryption tools to handle this newer variant.

I was told that this newer variant appears to have been distributed by someone else (not the same person who made the original), and all they did was insert new encryption keys into the ransomware. If that's the case, then we can't expect whoever is behind this newer variant to follow the same pattern as whoever was behind the older variants.

 

On 8/23/2017 at 8:28 AM, Scott1974 said:

Emsisoft how do we help you help us fix this problem so other can be saved along with us??

Unfortunately there really isn't any reliable way to recover files encrypted by this ransomware (especially when dealing with NAS or SAN storage systems). When the effected files were on a hard drive physically connected to the computer, then the only possibility of recovery (which is extremely iffy) is to try ShadowExplorer and see if the ransomware failed to delete Volume Shadow Copies. If they were deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies the odds of there being backup copies of important files in them are low to begin with.

Like I said, it's extremely iffy. I have heard stories of some people recovering files that way, however in most cases you're not going to be able to find much (if any) of the files you need to recover.

Share this post


Link to post
Share on other sites

Small victory:

I got their domain suspended that they used for the email address on their ransom. Not sure if it will stick or not, but happy to know I can interrupt their scams at least a little.

Share this post


Link to post
Share on other sites

Taking down their e-mail address does keep them from receiving communication from victims and trying to extort people for money, however it also leaves people without a way to recover their files.

Share this post


Link to post
Share on other sites

Most will only have one e-mail address per variant of the ransomware, however sometimes there are several e-mail addresses. It depends on how exactly the ransomware creator wants to handle the methods their victims can contact them.

Share this post


Link to post
Share on other sites

Based on what ID Ransomware is saying, this definitely looks like the Dharma ransomware.

In the case of ransomware like this, which uses secure encryption and generates new public/private keys for every computer it infects, usually there is no way to decrypt the files without getting the private key from the criminals who made the ransomware. You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).
http://www.shadowexplorer.com/

In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with. Note that you may need to find a local computer technician who can assist you with this if you do want to try it.

Here's a link to a list of file recovery tools at Wikipedia:
https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery

Share this post


Link to post
Share on other sites
8 hours ago, JesseK said:

In case anyone is wondering, still no updates from me. Saw a hacker hacked someone who was giving out ransomware and thought I'd check on .cesar's status. No luck.

That was the Muhstik randomware. If anyone else is curious, there's more information at the following link:
https://www.bleepingcomputer.com/news/security/muhstik-ransomware-victim-hacks-back-releases-decryption-keys/

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.