My recent ransomware case that ended up badly.
A friend of mine has recently contacted me asking to help with a crypto-virus. His company has been hit by a ransomware. Virus managed to infect two networks, running files (VHDs) mostly. So, all files got encrypted and became unusable.
The infection came via an email. It was a fake invoice with malicious MS Word file attached. Once my friend downloaded the file and clicked to open it, virus showed a prompt to allow macros. That was the trick, allowing macros initiated virus propagation.
My friend provided me with a sample encrypted file. The name of the file was not changed but a lengthy extension added. The changed file name looked like this: report-0105.xlsx.id-D3Y9D1E7G.[firstname.lastname@example.org].wallet
I have been working with numerous ransomware infections for quite some time. Looking at the file name, I suggested it is a new variant of the Dharma malware. I see that the file name was not scrambled (report-0105.xlsx) then went the victim’s ID followed by hackers’ contact email and virus version – .wallet.
Each victim has its own ID. As to contact emails – they depend on a group of cyber criminals launching this particular campaign. Each gang uses its own contact email. The last part that is the actual file extension .wallet – reflects the latest virus version. Previous iterations of Dharma ransomware used .dharma and .crysis extensions.
Besides the file format, another sign proving it was Dharma virus is the ransom note. After encrypting files, crooks put a .txt file called FILES ENCRYPTED on the desktop and in each folder. This text file provided instructions on how to get corrupted files back.
Actual wording used in ransomware note is very close to previous versions of Dharma virus. Victims should send a message to email@example.com and provide their victim ID. After that crooks are going to provide a Bitcoin address to send the money. Once victim pays, crooks promise to send the decryption the key.
This is a standard procedure Dharma authors use to get the ransom. Hackers insist on quick turn around and urge to contact them asap. Although I know many cases they sent the decryption key (after receiving the payment) it is not recommended doing so. You can be left without money and files. You cannot trust hackers.
It is important also that when communicating with hackers, victims always use VPN to hide their IP and system data. When you pay, hackers like to come back and infect you for the second time.
In our case, it was not difficult to identify the exact virus. However, many new victims have no ransomware experience. If you are hit by the file encryption malware, the first step is to know what it is. There are several tools for this. The best one is free ID Ransomware tool. You need to upload an encrypted file and your ransom note. Security researchers are keeping records of all ransomware viruses and can quickly help you.
When you know the name of the virus, you proceed to step two, that is looking for any existing decryption tools. Hackers often make mistakes in their code allowing antivirus vendors to break the encryption and create decryption tools.
Again in our case, we know it was Dharma. It is sad but this version of Dharma was professionally crafted and could not be broken by malware researchers. It is not possible to decrypt files locked by this virus. My friend tried to use ransomware decryption tips and tools by ESET, Kaspersky, HitmanPro. Nothing helped. Hackers use strong both RSA and AES encryption algorithms. I was not able to help in any way.
The only choice left for us was to describe the case on a dedicated ransomware support forum. Most ransomware researchers (from reputable antivirus firms) contribute to that community. Even if there is no decryption solution available, it is possible it appears in the near future (there were a lot of such cases) or hackers post the decryption key themselves. It is important not to change the encrypted files and keep them in a safe place and wait.
My friend decided not to pay the ransom as the amount hackers requested was almost equal to what the locked data costs. If your data is very important, you end up paying. Ransomware threats are growing because plenty of people pay to hackers.
All of these troubles could have been prevented by simple data backups. Sad, but my friend’s company did not back up their system for several months. This lesson should be learned by other businesses. Do make regular backups and keep them offline!
About the author:
My name is David Balaban. I am a computer security researcher with over 15 years of experience in malware analysis antivirus software. SAP community needs and wants great content on topics I am good at like infosec, IoT, blockchain. I wish to share my knowledge and experience here and connect with people who I might never have had any contact with otherwise.