Ruben 0 Report post Posted April 3 all your data has been locked us You want to return? write email [email protected] or [email protected] help me please Quote Share this post Link to post Share on other sites
stapp 124 Report post Posted April 3 I recommend uploading a copy of the ransom note along with an encrypted file to ID Ransomware so that you can verify which ransomware you are dealing with:https://id-ransomware.malwarehunterteam.com/ You can paste a link to the results into a reply if you would like one of our experts to review them. Quote Share this post Link to post Share on other sites
Ruben 0 Report post Posted April 4 subir archivos resultado: https://id-ransomware.malwarehunterteam.com/identify.php?case=18685623a81c0f15c082a6072d36634006e56752 gracias Quote Share this post Link to post Share on other sites
GT500 559 Report post Posted April 5 That's Dharma, and unfortunately there's no known way to decrypt files that have been encrypted by that variant of Dharma without first obtaining the private key from the criminals who made/distributed the ransomware. Note that I would believe that Dharma is installed by an attacker who brute forces an RDP (Remote Desktop) password, and remotely connects to the computer to run the ransomware on it. I highly recommend securing RDP to ensure that this does not happen again. I'll leave some steps for getting started securing RDP below. First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit. If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts. Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions). I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online. When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses. Quote Share this post Link to post Share on other sites
