Miguel86

Infected with .ROGER

Recommended Posts

Hi:
Last week i got infected with ROGER ransomware. After paying i got a decryption tool and a key wich decrypts some files but not all. I still have files to recover. I suppose that for a single ID there are multiple decryption keys and not all keys decrypt everything.
With the decryption key i got i have som Excel files that are decrypted and others not.
.mdf and .ldf files are not decrypted (SQL Server databases).

Does this mean that are multiple decryption keys and not all keys can decrypt all files or the decryption tool that they sent me has "built in logic" to prevent decrypt this kind of files.

They want to make me pay more to decrypt all files. I searched a lot and seems that is a DHARMA variation and there are not decryption software right now (reason why i paid...).

Is there anything else i could try? I have a copy of the original disk, the original i didn't touched and i extract files from the clon disk (which is cleaned from ransomware). I extracted files from this clean disk, and copied to a virtual machine where i executed the decrypter with the key.

Share this post


Link to post
Share on other sites

Are all of the files on the same computer? Usually there would only be one key, although files getting encrypted more than once is also a possibility and might cause them to have been encrypted with different keys.

You can try attaching some of the encrypted files to a reply for us to look at. Usually the file names would give away if they had been encrypted more than once though.

Share this post


Link to post
Share on other sites

Hi:
Yes all the files are in the same computer and same disk (also in the same partition). When i use the decrypted says something like n files encrypted 0 decrypted 0 error but some files just skip it.
Filenames have only once the "encryption" suffix. I'm going to upload an encrypted file (that i'm not able to decrypt with my key), also if needed i could provide  (by private message)  the decrypter and the key.

Share this post


Link to post
Share on other sites

I checked the file you sent me, but it doesn't appear to have been encrypted more than once. Is it one of the files the decrypter sent by the criminals couldn't decrypt?

 

On 2/28/2020 at 2:16 AM, Miguel86 said:

I'm trying to upload the file wich compresses is 3Mb but website gives me an error -200

Unfortunately the error number is only helpful to the makers of the forum software we use, as it identifies where in the source code the error occurred. It's not actually an "error code" with a pre-defined meaning, so there's no way to look up what it means.

Share this post


Link to post
Share on other sites

Yes the file sent is a MDF that the decrypter dont decrypt with the key the sent.

Aldo i hace that file decrypted as they sent it ti me as a proof.

Share this post


Link to post
Share on other sites
On 2/27/2020 at 1:06 PM, Miguel86 said:

ROGER ransomware.

This is Dharma Ransomware with .ROGER extension and Jolly Roger in the title of the note.

Different samples have different ransomware email-addresses.

You did not say which email had in note, to we make compare variants and samples.

roger.png.05aeb6a7f57c7e05710f2c1de7885371.png
Download Image

Share this post


Link to post
Share on other sites

I've been told that we don't have anything already available that can help with Dharma decryption. We do offer ransomware remediation services, however these are priced for corporate clients and will seem rather expensive if this isn't for a business. We have a form for making an inquiry at the following link:
https://www.emsisoft.com/en/tools/ransomware-recovery/inquire/

Share this post


Link to post
Share on other sites
On 2/27/2020 at 3:06 AM, Miguel86 said:

 

hola podrias darme copi del decriptador a mi correo porfar <e-mail removed>

gracias

Edited by GT500

Share this post


Link to post
Share on other sites
5 hours ago, luis2020 said:

hola podrias darme copi del decriptador a mi correo porfar <e-mail removed>

gracias

His decrypter won't work for you. The private key for your computer will be different than his, and it won't decrypt your files. If the same decrypter worked on multiple computers, then it would be really easy for us to make a decrypter that worked for everyone.

Also, never post your e-mail address on a public forum. The criminals who make these ransomwares monitor forums like ours, and they will try to contact you and scam you out of money offering "assistance".

 

Traducción proporcionada por Google:
Su desencriptador no funcionará para ti. La clave privada para su computadora será diferente a la suya y no descifrará sus archivos. Si el mismo descifrador funcionara en varias computadoras, entonces sería muy fácil para nosotros hacer un descifrador que funcionara para todos.

Además, nunca publique su dirección de correo electrónico en un foro público. Los delincuentes que hacen estos rescates monitorean foros como el nuestro, y tratarán de contactarte y estafarte sin dinero ofreciendo "asistencia".

Share this post


Link to post
Share on other sites
On 2/27/2020 at 2:06 AM, Miguel86 said:

Hola:
La semana pasada me infecté con ransomware ROGER. Después de pagar tengo una herramienta de descifrado y una clave que descifra algunos archivos, pero no todos. Todavía tengo archivos que recuperar. Supongo que para un solo ID hay varias claves de descifrado y no todas las claves descifran todo.
Con la clave de descifrado tengo tengo som archivos de Excel que se descifran y otros no.
Los archivos .mdf y .ldf no se descifran (bases de datos de SQL Server).
¿Significa esto que son múltiples claves de descifrado y no todas las claves pueden descifrar todos los archivos o la herramienta de descifrado que me enviaron tiene "construido en la lógica" para evitar descifrar este tipo de
archivos.

Quieren hacerme pagar más para descifrar todos los archivos. Busqué mucho y parece que es una variación dharma y no hay software de descifrado en este momento (razón por qué pagué...).

¿Hay algo más que pueda probar? Tengo una copia del disco original, el original que no toqué y extraigo archivos del disco clon (que se limpia de ransomware). Extraje archivos de este disco limpio y copí en una máquina virtual donde ejecuté el descifrador con la clave.

hola tengo el mismo problema fui infectado por .roger e investigado y no encuentro nada útil para poder recuperar mi información les agradecería si me pueden ayudar.

Share this post


Link to post
Share on other sites
15 hours ago, edwin371 said:

hola tengo el mismo problema fui infectado por .roger e investigado y no encuentro nada útil para poder recuperar mi información les agradecería si me pueden ayudar.

This is usually Dharma ransomware, and there's currently no known way to decrypt files that have been encrypted by Dharma.

Traducción proporcionada por Google:
Por lo general, se trata de ransomware Dharma, y actualmente no se conoce una forma de descifrar archivos que han sido cifrados por Dharma.

Share this post


Link to post
Share on other sites

Hola, muchas gracias, voy a tener que esperar hasta que haya un descifrador ya que pagar el rescate no se asegura de que voy a recuperar mis archivos.

Share this post


Link to post
Share on other sites
16 hours ago, edwin371 said:

Hola, muchas gracias, voy a tener que esperar hasta que haya un descifrador ya que pagar el rescate no se asegura de que voy a recuperar mis archivos.

You're welcome.

De nada.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.