Recommended Posts

Hi
you guys were really helpful to me before when one of my clients servers were attacked by Zenis and we were able to recover all data with the help you gave...
I have another client who has experienced a Ransomware attack this time the ramsom note is from [email protected]

we are in a good position as we stopped the attack before it was able to do too much damage (although it still has caused us a massive cleanup operation) and also we have some very good backups in place so were able to recover everything but of course still costing my client some uncomfortable down time...

First question is does anyone know anything about this ransomware? Secondly because we have 'before & after' files would this be of use to you? also I think we identified how the attacker was able to get access etc and we still have the account that was used intact in case there may be useful information on there?

 

Share this post


Link to post
Share on other sites

oh dear, it says:

Dharma (.cezar Family)

     This ransomware has no known way of decrypting data at this time.

so its a good job we had some really good backups as we have recovered pretty much back to full capacity!
 

we are currently using RDP but I think we need to look at alternative ways to get remote users connected, i'm told VPN is the way to go with this but what is best software to use?
 

Share this post


Link to post
Share on other sites
7 hours ago, milopware said:

we are currently using RDP but I think we need to look at alternative ways to get remote users connected, i'm told VPN is the way to go with this but what is best software to use?

There are tons of VPN solutions available. OpenVPN tends to be the most popular. Windows has a built-in VPN protocol called point-to-point tunneling protocol (PPTP) which can be used when configuring VPN options in Windows without third-party software. Most VPN solutions are intended to use UDP packets, however if you need to use TCP due to connection quality issues then note that SoftEther is designed to be more efficient while using TCP packets for VPN connections. And, of course, many routers these days (especially enterprise class routers) have OpenVPN-compatible VPN servers built right in. If your router doesn't, then you can always check and see if there's a version of the DD-WRTTomato by Shibby, or FreshTomato (still in beta) firmwares available for your router.

 

Also, here's some advise to help get you started on dealing with RDP compromise:

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites

Dear All 

            Sunday morning hard for me .... A ransomware Attack i found on my windows 10 Data-Server machine. Email: [email protected] .adobe . without All my data encrypted this same of Subject Email address. I remove all Ransomware virus files using SypHunter5. but Data is Still Encrypted please any one help me for this data decryption Method. I m also using File Recovery pro software tool but its not works for me.

 

 

sikandarrouf

Untitled.png
Download Image

Share this post


Link to post
Share on other sites

sikandarrouf

This means only one thing - you used the protection, that did not protect your files from encryption. 

There is no free decrypter for encrypted files after the attack of Dharma Ransomware variant, what used email [email protected]

 

Share this post


Link to post
Share on other sites
10 hours ago, sikandarrouf said:

I remove all Ransomware virus files using SypHunter5.

Most ransomware deletes itself once it's done encrypting files. This is done to make analysis more difficult.

 

10 hours ago, sikandarrouf said:

but Data is Still Encrypted please any one help me for this data decryption Method.

There is no known way to recover files from this variant of Dharma without first obtaining the private key from the criminals who made/distributed the ransomware.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.