BartW_Portland 0 Report post Posted March 24, 2018 Found ransom note on desktop. Most all files are encrypted and renamed with an 36FF1EC9.[[email protected]].java extension. Files on attached drive (attached to router via usb) are encrypted as well. Incident occurred on or around Feb 19th. Have run both the EEK and FRST. Resulting files are attached herein. Addition.txt FRST.txt scan_180324-134345.txt Quote Share this post Link to post Share on other sites
GT500 505 Report post Posted March 26, 2018 I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them. Quote Share this post Link to post Share on other sites
BartW_Portland 0 Report post Posted March 27, 2018 Thanks Arthur. Heres the result from the id-ransomware.malwarehunterteam.com site: 1 Result Dharma (.cezar) This ransomware has no known way of decrypting data at this time. It is recommended to backup your encrypted files, and hope for a solution in the future. Identified by sample_extension: .id-<id>.[<email>].java sample_bytes: [0x5A00 - 0x5A40] 0x00000000020000000CFE7A410000000000000000000000002000000000000000 custom_rule: Original filename "index.html" after filemarker Click here for more information about Dharma (.cezar) +++++++++++++++++++++++++++++++++++++++++++++++++++++ Please advise. Thanks, Brent Quote Share this post Link to post Share on other sites
GT500 505 Report post Posted March 27, 2018 That's definitely Dharma. Unfortunately Dharma uses secure encryption. In the case of ransomware like this, which uses secure encryption and generates new public/private keys for every computer it infects, usually there is no way to decrypt the files without getting the private key from the criminals who made the ransomware. You can try a tool such as ShadowExplorer, however ransomware like this usually deletes Volume Shadow Copies, so ShadowExplorer will usually find nothing. Even if the Volume Shadow Copies were not deleted, the odds of finding backup copies of files in them is pretty slim, since Windows would normally only leave backup copies of files in the Volume Shadow Copies if you were using Microsoft's own backup software for data backups (although sometimes the System Restore will save copies of files in the Volume Shadow Copies).http://www.shadowexplorer.com/ In cases where the Volume Shadow Copies are deleted, then note that ransomware doesn't generally delete them securely, so it might be possible to use a file undelete utility to undelete the old Volume Shadow Copies, and then use ShadowExplorer to recover files, however this isn't necessarily straightforward to do (the computer will need to be running from a bootable disk to have write access to the "System Volume Information" folder, or the hard drive will need to be connected to another computer), and even if you can recover the old Volume Shadow Copies, as mentioned above the odds of there being backup copies of important files in them are low to begin with. Note that you may need to find a local computer technician who can assist you with this if you do want to try it. Here's a link to a list of file recovery tools at Wikipedia:https://en.wikipedia.org/wiki/List_of_data_recovery_software#File_Recovery Quote Share this post Link to post Share on other sites
