Nasir Bashir

Need help with Charm Ransomware

Recommended Posts

OK, I've confirmed that the Dharma detection was correct. Unfortunately it looks like something else may have encrypted the files after Dharma did, and added the .charm extension. Whatever it was it encrypted the Dharma filemarker, which is one of the reasons ID Ransomware didn't flag more than the e-mail address as Dharma.

We're not sure what left the .charm extension yet, but the ransom note you attached to your post is from that unknown ransomware. Let's try getting a log from FRST, and see if it shows anything that could help us figure out what this unknown ransomware is. You can find instructions for downloading and running FRST at the following link:
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Share this post


Link to post
Share on other sites

I know which Ransomware left the extension .charm

This is Ransomnix, which I know from the summer of 2017. It is described in my article Ransomnix Ransomware.

Then Michael added him to ID Ransomware.

The variant with the .charm extension appeared a year later, I added it as an update in October 2018. 

In January 2019, a new version was seen with an extension .mdk4y
The sample is here.

Share this post


Link to post
Share on other sites

Thus, files encrypted first by Dharma, then covered with new encryption from Ransomnix

.id-EE8B9148.[[email protected]].bgtx + .charm

This .bgtx-variant of Dharma Ransomware appeared in early October 2018.
This variant of Ransomnix-Charm was also noted by me in October 2018. 

Share this post


Link to post
Share on other sites

Thanks guys.

@Nasir Bashir please note that there is no known way to decrypt files that have been encrypted by the Dharma ransomware without first obtaining the private key from the criminals who made/distributed the ransomware. I would believe the same is also true for Ransomnix.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.