TgrBlood 0 Posted September 17, 2018 Share Posted September 17, 2018 When I got to the office this morning I noticed that all files on my server have been renamed with a Gamma extension (check picture). I Googled it and can't find anything about it or a way to fix it. Anybody seen this before or know of a way to fix it. What a way to start a Monday. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted September 17, 2018 Administrators Share Posted September 17, 2018 Please provide: - ELC logs from the server - a handful of encrypted files (ideally Office documents not containing sensitive data) - payment instructions (the ransomware note dropped by ransomware) - information about what folders contain encrypted files - logs from the tool that I'll provide you with via a personal message momentarily. Compress all stuff into a single archive and upload it to our ftp server as per the instructions I'm gonna send you. Link to comment Share on other sites More sharing options...
DamianTodarello 0 Posted September 17, 2018 Share Posted September 17, 2018 Hi! I have just arrived at my office today on morning and find exactly the same attack! All of my files on server 2012 have been encrypted to .gamma Please see attached prtscrn and also the messagge left vi attackers. Link to comment Share on other sites More sharing options...
AHBA 0 Posted September 17, 2018 Share Posted September 17, 2018 9 hours ago, TgrBlood said: When I got to the office this morning I noticed that all files on my server have been renamed with a Gamma extension (check picture). I Googled it and can't find anything about it or a way to fix it. Anybody seen this before or know of a way to fix it. What a way to start a Monday. Have you found any solution to this???? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted September 17, 2018 Administrators Share Posted September 17, 2018 Please check your personal messages for instructions how to carry on. Link to comment Share on other sites More sharing options...
Biojumper85 0 Posted September 20, 2018 Share Posted September 20, 2018 Help I also have the same problem help you please Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted September 20, 2018 Administrators Share Posted September 20, 2018 22 minutes ago, Biojumper85 said: I also have the same problem help you please In case of Filecoder.Crysis decryption is not possible. However, you can provide me with ELC logs to review your configuration and logs and to make sure that your ESET product is configured properly. If using RDP, we strongly recommend using it only internally. For connections from outside, use VPN or at least use 2FA to prevent attackers from getting to the machine, disabling AV and running ransomware. Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 20, 2018 Share Posted September 20, 2018 (edited) I came across a web posting that indicates Kaspersky's decrypter might work against .gamma extension encrypted files: Quote Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .gamma files. Download it here: https://support.kaspersky.com/10556 The Kaspersky download web page indicates the decrypter works against versions 2 and 3 of Crysis. The site doesn't specifically show the .gamma extension as supported but it might be worth a try. Edited September 20, 2018 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted September 20, 2018 Administrators Share Posted September 20, 2018 We too have a decryptor for very old versions of Crysis but newer versions are not decryptable. Link to comment Share on other sites More sharing options...
ynotleth 0 Posted September 28, 2018 Share Posted September 28, 2018 i installed the latest version of NOD32, but still affected, any solution .. Link to comment Share on other sites More sharing options...
itman 1,746 Posted September 28, 2018 Share Posted September 28, 2018 (edited) 6 hours ago, ynotleth said: i installed the latest version of NOD32, but still affected, any solution .. Other than what has been posted previously in this thread, the answer is no. The .gamma extension is associated with the Dharma strain of Cyrsis ransomware. For reference, you can read the following: https://www.bleepingcomputer.com/news/security/gamma-bkp-and-monro-dharma-ransomware-variants-released-in-one-week/ . Of note in this posting is the following: Quote As the Dharma Ransomware is typically installed via hacked Remote Desktop services, it is very important to make sure its locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network. It is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services. Also bleepingcomputer.com has a dedicated section on ransomware identification and decryption mitigation methods. Edited September 28, 2018 by itman Link to comment Share on other sites More sharing options...
ynotleth 0 Posted September 28, 2018 Share Posted September 28, 2018 WELL NOTED. ~ THANKS ITMAN!! Link to comment Share on other sites More sharing options...
marley.maverick 0 Posted October 9, 2018 Share Posted October 9, 2018 Hi everyone, do you know if there is a file decryption tool? There are updates? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted October 9, 2018 Administrators Share Posted October 9, 2018 12 minutes ago, marley.maverick said: Hi everyone, do you know if there is a file decryption tool? There are updates? No, decryption of Filecoder.Crysis is not possible. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted October 9, 2018 Most Valued Members Share Posted October 9, 2018 (edited) Restoring the PC to earlier state won't do any help right? EDIT : No I don't think that would do any help , because Windows will restore system files to earlier state not the personal files. I've searched for Decryptor but there is no one unfortunately but with time someone will make one. Edited October 9, 2018 by Rami Link to comment Share on other sites More sharing options...
DamianTodarello 0 Posted October 11, 2018 Share Posted October 11, 2018 On 10/9/2018 at 7:37 AM, Marcos said: No, decryption of Filecoder.Crysis is not possible. Hi Marcos, You mean that there will NEVER be a decryptor for filecoder.crysis? Is it impossible to make a decryptor? Link to comment Share on other sites More sharing options...
Daedalus 16 Posted October 11, 2018 Share Posted October 11, 2018 33 minutes ago, DamianTodarello said: Hi Marcos, You mean that there will NEVER be a decryptor for filecoder.crysis? Is it impossible to make a decryptor? This is why you should have back-ups... Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted October 11, 2018 Administrators Share Posted October 11, 2018 36 minutes ago, DamianTodarello said: You mean that there will NEVER be a decryptor for filecoder.crysis? Is it impossible to make a decryptor? If the author of the ransomware decides to publish the master decryption key, it will be possible. However, as you understand the chances it would happen are very slim. Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted October 13, 2018 Most Valued Members Share Posted October 13, 2018 On 10/11/2018 at 10:24 PM, Marcos said: If the author of the ransomware decides to publish the master decryption key, it will be possible. However, as you understand the chances it would happen are very slim. What about the chances of cracking the encryption key? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted October 13, 2018 Administrators Share Posted October 13, 2018 1 hour ago, Rami said: What about the chances of cracking the encryption key? It is not possible in the case of Crysis. I'd say one would need a very huge computing power to crack it within years. Link to comment Share on other sites More sharing options...
ESET Support notimportant 5 Posted October 16, 2018 ESET Support Share Posted October 16, 2018 (edited) Rami: Well you can read this if you are curious - reddit.com/r/theydidthemath/comments/1x50xl/time_and_energy_required_to_bruteforce_a_aes256/ Edited October 17, 2018 by notimportant Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted October 16, 2018 Most Valued Members Share Posted October 16, 2018 1 hour ago, notimportant said: Remi: Well you can read this if you are curious - reddit.com/r/theydidthemath/comments/1x50xl/time_and_energy_required_to_bruteforce_a_aes256/ That was a good read, thanks for it. Link to comment Share on other sites More sharing options...
marley.maverick 0 Posted October 17, 2018 Share Posted October 17, 2018 ESET Crysis decryptor could be a solution? Has anyone tried? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted October 17, 2018 Administrators Share Posted October 17, 2018 55 minutes ago, marley.maverick said: ESET Crysis decryptor could be a solution? Has anyone tried? No company has a decryptor for current and recent variants of Filecoder.Crysis. The one you are referring to is for very old variants which were decodable. Link to comment Share on other sites More sharing options...
amirhrezaei 0 Posted October 19, 2018 Share Posted October 19, 2018 (edited) Hi Yesterday we face the same ransomware alert on one of our servers and all our local and shared files were encrypted with gamma extension All files like office documents, sql databases and backups, exe files, pictures and … ? I send 1 jpg file for decryption and they send me back the correct file and ask for 0.8 btc for 1 PC Any solution??? Edited October 19, 2018 by amirhrezaei Link to comment Share on other sites More sharing options...
Recommended Posts