Jump to content

Need help with Charm Ransomware

Recommended Posts

OK, I've confirmed that the Dharma detection was correct. Unfortunately it looks like something else may have encrypted the files after Dharma did, and added the .charm extension. Whatever it was it encrypted the Dharma filemarker, which is one of the reasons ID Ransomware didn't flag more than the e-mail address as Dharma.

We're not sure what left the .charm extension yet, but the ransom note you attached to your post is from that unknown ransomware. Let's try getting a log from FRST, and see if it shows anything that could help us figure out what this unknown ransomware is. You can find instructions for downloading and running FRST at the following link:

Link to comment
Share on other sites

I know which Ransomware left the extension .charm

This is Ransomnix, which I know from the summer of 2017. It is described in my article Ransomnix Ransomware.

Then Michael added him to ID Ransomware.

The variant with the .charm extension appeared a year later, I added it as an update in October 2018. 

In January 2019, a new version was seen with an extension .mdk4y
The sample is here.

Link to comment
Share on other sites

Thanks guys.

@Nasir Bashir please note that there is no known way to decrypt files that have been encrypted by the Dharma ransomware without first obtaining the private key from the criminals who made/distributed the ransomware. I would believe the same is also true for Ransomnix.

Link to comment
Share on other sites

This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...