Nasir Bashir Posted May 10, 2019 Report Share Posted May 10, 2019 Hi, My files have been encrypted with charm ransomware at least what it says on the file extension. And the recovery note has a use key in it. Is there a possibility to decrypt the file using that key. Can someone please take a look at the attachments? HOW_TO_RETURN_FILES.txt pic1.png.id-EE8B9148.[[email protected]].bgtx.charm Link to comment Share on other sites More sharing options...
GT500 Posted May 10, 2019 Report Share Posted May 10, 2019 ID Ransomware says this is Dharma based on the e-mail address:https://id-ransomware.malwarehunterteam.com/identify.php?case=ca2c96deeb11274b1e82c9ee3e95dd15849bbfa7 Normally it would flag Dharma based on more factors than just the e-mail address, so I've asked to see if this detection is correct. Link to comment Share on other sites More sharing options...
GT500 Posted May 10, 2019 Report Share Posted May 10, 2019 OK, I've confirmed that the Dharma detection was correct. Unfortunately it looks like something else may have encrypted the files after Dharma did, and added the .charm extension. Whatever it was it encrypted the Dharma filemarker, which is one of the reasons ID Ransomware didn't flag more than the e-mail address as Dharma. We're not sure what left the .charm extension yet, but the ransom note you attached to your post is from that unknown ransomware. Let's try getting a log from FRST, and see if it shows anything that could help us figure out what this unknown ransomware is. You can find instructions for downloading and running FRST at the following link:https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/ Link to comment Share on other sites More sharing options...
Amigo-A Posted May 11, 2019 Report Share Posted May 11, 2019 I know which Ransomware left the extension .charm This is Ransomnix, which I know from the summer of 2017. It is described in my article Ransomnix Ransomware. Then Michael added him to ID Ransomware. The variant with the .charm extension appeared a year later, I added it as an update in October 2018. In January 2019, a new version was seen with an extension .mdk4y The sample is here. Link to comment Share on other sites More sharing options...
Amigo-A Posted May 11, 2019 Report Share Posted May 11, 2019 Thus, files encrypted first by Dharma, then covered with new encryption from Ransomnix .id-EE8B9148.[[email protected]].bgtx + .charm This .bgtx-variant of Dharma Ransomware appeared in early October 2018. This variant of Ransomnix-Charm was also noted by me in October 2018. Link to comment Share on other sites More sharing options...
Demonslay335 Posted May 11, 2019 Report Share Posted May 11, 2019 Thanks @Amigo-A, seems another one I missed updates on. I've added the extensions to ID Ransomware now. Link to comment Share on other sites More sharing options...
GT500 Posted May 13, 2019 Report Share Posted May 13, 2019 Thanks guys. @Nasir Bashir please note that there is no known way to decrypt files that have been encrypted by the Dharma ransomware without first obtaining the private key from the criminals who made/distributed the ransomware. I would believe the same is also true for Ransomnix. Link to comment Share on other sites More sharing options...
Recommended Posts