Gamma malware help

[TgrBlood 0]

When I got to the office this morning I noticed that all files on my server have been renamed with a Gamma extension (check picture). 

I Googled it and can't find anything about it or a way to fix it. 

Anybody seen this before or know of a way to fix it. 

What a way to start a Monday. 

[Marcos 5,070]

Please provide:
- ELC logs from the server
- a handful of encrypted files (ideally Office documents not containing sensitive data)
- payment instructions (the ransomware note dropped by ransomware)
- information about what folders contain encrypted files
- logs from the tool that I'll provide you with via a personal message momentarily.

Compress all stuff into a single archive and upload it to our ftp server as per the instructions I'm gonna send you.

[DamianTodarello 0]

Hi! 

I have just arrived at my office today on morning and find exactly the same attack!

All of my files on server 2012 have been encrypted to .gamma

Please see attached prtscrn and also the messagge left vi attackers.

[AHBA 0]

9 hours ago, TgrBlood said:

When I got to the office this morning I noticed that all files on my server have been renamed with a Gamma extension (check picture). 

I Googled it and can't find anything about it or a way to fix it. 

Anybody seen this before or know of a way to fix it. 

What a way to start a Monday. 

Have you found any solution to this????

[Marcos 5,070]

Please check your personal messages for instructions how to carry on.

[Biojumper85 0]

Help

I also have the same problem help you please

[Marcos 5,070]

22 minutes ago, Biojumper85 said:

I also have the same problem help you please

In case of Filecoder.Crysis decryption is not possible. However, you can provide me with ELC logs to review your configuration and logs and to make sure that your ESET product is configured properly.

If using RDP, we strongly recommend using it only internally. For connections from outside, use VPN or at least use 2FA to prevent attackers from getting to the machine, disabling AV and running ransomware.

[itman 1,659]

I came across a web posting that indicates Kaspersky's decrypter might work against .gamma extension encrypted files:

Quote

Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .gamma files. Download it here: https://support.kaspersky.com/10556

The Kaspersky download web page indicates the decrypter works against versions 2 and 3 of Crysis. The site doesn't specifically show the .gamma extension as supported but it might be worth a try.

Edited September 20, 2018 by itman

[Marcos 5,070]

We too have a decryptor for very old versions of Crysis but newer versions are not decryptable.

[ynotleth 0]

 i installed the latest version of NOD32, but still affected, any solution ..

[itman 1,659]

6 hours ago, ynotleth said:

 i installed the latest version of NOD32, but still affected, any solution ..

Other than what has been posted previously in this thread, the answer is no. The .gamma extension is associated with the Dharma strain of Cyrsis ransomware.

For reference, you can read the following: https://www.bleepingcomputer.com/news/security/gamma-bkp-and-monro-dharma-ransomware-variants-released-in-one-week/ . Of note in this posting is the following:

Quote

As the Dharma Ransomware is typically installed via hacked Remote Desktop services, it is very important to make sure its locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.

It is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services.

Also bleepingcomputer.com has a dedicated section on ransomware identification and decryption mitigation methods.

Edited September 28, 2018 by itman

[ynotleth 0]

WELL NOTED. ~ THANKS  ITMAN!!

[marley.maverick 0]

Hi everyone, do you know if there is a file decryption tool? There are updates?

[Marcos 5,070]

12 minutes ago, marley.maverick said:

Hi everyone, do you know if there is a file decryption tool? There are updates?

No, decryption of Filecoder.Crysis is not possible.

[Nightowl 202]

Restoring the PC to earlier state won't do any help right?

EDIT : No I don't think that would do any help , because Windows will restore system files to earlier state not the personal files.

I've searched for Decryptor  but there is no one unfortunately but with time someone will make one.

Edited October 9, 2018 by Rami

[DamianTodarello 0]

On 10/9/2018 at 7:37 AM, Marcos said:

No, decryption of Filecoder.Crysis is not possible.

Hi Marcos,

You mean that there will NEVER be a decryptor for filecoder.crysis? Is it impossible to make a decryptor?

[Daedalus 16]

33 minutes ago, DamianTodarello said:

Hi Marcos,

You mean that there will NEVER be a decryptor for filecoder.crysis? Is it impossible to make a decryptor?

This is why you should have back-ups... 

[Marcos 5,070]

36 minutes ago, DamianTodarello said:

You mean that there will NEVER be a decryptor for filecoder.crysis? Is it impossible to make a decryptor?

If the author of the ransomware decides to publish the master decryption key, it will be possible. However, as you understand the chances it would happen are very slim.

[Nightowl 202]

On 10/11/2018 at 10:24 PM, Marcos said:

If the author of the ransomware decides to publish the master decryption key, it will be possible. However, as you understand the chances it would happen are very slim.

What about the chances of cracking the encryption key?

[Marcos 5,070]

1 hour ago, Rami said:

What about the chances of cracking the encryption key?

It is not possible in the case of Crysis. I'd say one would need a very huge computing power to crack it within years.

[notimportant 5]

Rami:

Well you can read this if you are curious - reddit.com/r/theydidthemath/comments/1x50xl/time_and_energy_required_to_bruteforce_a_aes256/

Edited October 17, 2018 by notimportant

[Nightowl 202]

1 hour ago, notimportant said:

Remi:

Well you can read this if you are curious - reddit.com/r/theydidthemath/comments/1x50xl/time_and_energy_required_to_bruteforce_a_aes256/

That was a good read, thanks for it.

[marley.maverick 0]

ESET Crysis decryptor could be a solution? Has anyone tried?

 

[Marcos 5,070]

55 minutes ago, marley.maverick said:

ESET Crysis decryptor could be a solution? Has anyone tried?

 

No company has a decryptor for current and recent variants of Filecoder.Crysis. The one you are referring to is for very old variants which were decodable.

[amirhrezaei 0]

Hi

Yesterday we face the same ransomware alert on one of our servers and all our local and shared files were encrypted with gamma extension

All files like office documents, sql databases and backups, exe files, pictures and … ?

I send 1 jpg file for decryption and they send me back the correct file and ask for 0.8 btc for 1 PC

Any solution???

Edited October 19, 2018 by amirhrezaei