Jump to content

Recommended Posts

Hello. It is a pity that this happened ...

You need attach a ransom note and a few encrypted doc, jpg, png files to your first or new post.


Let's also are clarify:

Extension look like this? - .ETH
Encrypted files look like this? - original_filename.id-XXXXXXXX.[[email protected]].ETH

Under XXXXXXXX are letters and numbers. 

If so, this means that the files are encrypted Dharma Ransomware

Read more: 

This '.id-XXXXXXXX.[phobos.encrypt@qq.com].ETH' added to your files
This 'XXXXXXXX' is your ID as victim of Ransomware
This 'phobos.encrypt@qq.com' is an address of extortionists
This '.ETH' is an ending extension for your encrypted files
This '.id-XXXXXXXX.[phobos.encrypt@qq.com].ETH' is an compound extension for your encrypted files

This is a general pattern of Dharma Ransomware .id-<id>.[<email>].ETH for encrypted files of version with extension .ETH
This is a pattern of Dharma Ransomware .id-<id>.[phobos.encrypt@qq.com].ETH for your encrypted files

Link to comment
Share on other sites

The result of uploading a notes and files will be the same as I described above. :)
Because ID Ransomware will react to the pattern and the known extension, and if already know, then to the email also.
But email can already be used in other projects from which extortionists are moving. (They usually roam like beetles from one feeder to another). 

 Dharma Ransomware also used the typical file marker and the typical name of the project for a long time. This is easy to see, but extortionists can get rid of these easily recognizable elements of "folk art". In some variants this happened. 

Link to comment
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...