JusT 0 Report post Posted December 4, 2018 Hello, Unfortunately our computer infected. May i get help with it please? Addition.txt FRST.txt Quote Share this post Link to post Share on other sites
GT500 564 Report post Posted December 4, 2018 I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like for me to review them. Quote Share this post Link to post Share on other sites
JusT 0 Report post Posted December 4, 2018 Hello, Thanks for reply, here is the link https://id-ransomware.malwarehunterteam.com/identify.php?case=11dd94b7d4f7163fd91c62ceab1e791d8bf8369b Quote Share this post Link to post Share on other sites
GT500 564 Report post Posted December 5, 2018 That's almost certainly a variant of Dharma. Unfortunately there's no known way to decrypt files that have been encrypted by modern variants of Dharma without first obtaining the private key from the criminals who made/distributed the ransomware. Quote Share this post Link to post Share on other sites
JusT 0 Report post Posted December 5, 2018 Should we wait for future possibility or pay them ? Quote Share this post Link to post Share on other sites
GT500 564 Report post Posted December 6, 2018 We never recommend paying the ransom, as it only encourages these criminals to continue distributing their ransomware. That being said, the decision is ultimately up to you. As far as I know, whoever is behind Dharma/Crysis will usually send a working decryption tool, however if the tool they send doesn't work then they may not assist you in figuring out why. Of course, Dharma has been around for a little while now in various forms, and I'm sure that various law enforcement agencies are working with computer security companies to gain access to the command and control servers used by Dharma/Crysis. In theory, it is only a matter of time before they find a weakness and gain access to the database of private keys, however there is no way to know for certain when that would happen. If you can wait, then it's best to make a backup of your encrypted files so that they can be recovered when someone releases a decryption tool. Quote Share this post Link to post Share on other sites
JusT 0 Report post Posted December 6, 2018 Understood, Thank you for your time and answers. Quote Share this post Link to post Share on other sites
GT500 564 Report post Posted December 7, 2018 You're welcome. Quote Share this post Link to post Share on other sites
Ho33einf 0 Report post Posted December 22, 2018 pleas help attack server please help me . insert attach virus file putty.exe.id-A45CC4DF.[[email protected]].adobe Quote Share this post Link to post Share on other sites
GT500 564 Report post Posted December 25, 2018 On 12/22/2018 at 9:06 AM, Ho33einf said: pleas help attack server please help me . insert attach virus file putty.exe.id-A45CC4DF.[[email protected]].adobe That's almost certainly Dharma as well:https://id-ransomware.malwarehunterteam.com/identify.php?case=7e7abdd986cfa743b35cfbf938c06bdff7a101c4 There's still no known way to decrypt files that have been encrypted by the Dharma ransomware. Since this is a server, I recommend making sure that RDP is secure. Here's some tips for getting started: First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit. If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts. Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions). I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online. When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses. Quote Share this post Link to post Share on other sites
