Jump to content

Recommended Posts

When I got to the office this morning I noticed that all files on my server have been renamed with a Gamma extension (check picture). 

I Googled it and can't find anything about it or a way to fix it. 

Anybody seen this before or know of a way to fix it. 

What a way to start a Monday. 

IMG-20180917-WA0001.jpg

Link to post
Share on other sites
  • Administrators

Please provide:
- ELC logs from the server
- a handful of encrypted files (ideally Office documents not containing sensitive data)
- payment instructions (the ransomware note dropped by ransomware)
- information about what folders contain encrypted files
- logs from the tool that I'll provide you with via a personal message momentarily.

Compress all stuff into a single archive and upload it to our ftp server as per the instructions I'm gonna send you.

Link to post
Share on other sites
9 hours ago, TgrBlood said:

When I got to the office this morning I noticed that all files on my server have been renamed with a Gamma extension (check picture). 

I Googled it and can't find anything about it or a way to fix it. 

Anybody seen this before or know of a way to fix it. 

What a way to start a Monday. 

IMG-20180917-WA0001.jpg

Have you found any solution to this????

Link to post
Share on other sites
  • Administrators
22 minutes ago, Biojumper85 said:

I also have the same problem help you please

In case of Filecoder.Crysis decryption is not possible. However, you can provide me with ELC logs to review your configuration and logs and to make sure that your ESET product is configured properly.

If using RDP, we strongly recommend using it only internally. For connections from outside, use VPN or at least use 2FA to prevent attackers from getting to the machine, disabling AV and running ransomware.

Link to post
Share on other sites

I came across a web posting that indicates Kaspersky's decrypter might work against .gamma extension encrypted files:

Quote

Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .gamma files. Download it here: https://support.kaspersky.com/10556

The Kaspersky download web page indicates the decrypter works against versions 2 and 3 of Crysis. The site doesn't specifically show the .gamma extension as supported but it might be worth a try.

Edited by itman
Link to post
Share on other sites
6 hours ago, ynotleth said:

 i installed the latest version of NOD32, but still affected, any solution ..

Other than what has been posted previously in this thread, the answer is no. The .gamma extension is associated with the Dharma strain of Cyrsis ransomware.

For reference, you can read the following: https://www.bleepingcomputer.com/news/security/gamma-bkp-and-monro-dharma-ransomware-variants-released-in-one-week/ . Of note in this posting is the following:

Quote

As the Dharma Ransomware is typically installed via hacked Remote Desktop services, it is very important to make sure its locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.

It is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services.

Also bleepingcomputer.com has a dedicated section on ransomware identification and decryption mitigation methods.

Edited by itman
Link to post
Share on other sites
  • 2 weeks later...
  • Administrators
12 minutes ago, marley.maverick said:

Hi everyone, do you know if there is a file decryption tool? There are updates?

No, decryption of Filecoder.Crysis is not possible.

Link to post
Share on other sites
  • Most Valued Members

Restoring the PC to earlier state won't do any help right?

EDIT : No I don't think that would do any help , because Windows will restore system files to earlier state not the personal files.

I've searched for Decryptor  but there is no one unfortunately but with time someone will make one.

Edited by Rami
Link to post
Share on other sites
33 minutes ago, DamianTodarello said:

Hi Marcos,

You mean that there will NEVER be a decryptor for filecoder.crysis? Is it impossible to make a decryptor?

This is why you should have back-ups... 

Link to post
Share on other sites
  • Administrators
36 minutes ago, DamianTodarello said:

You mean that there will NEVER be a decryptor for filecoder.crysis? Is it impossible to make a decryptor?

If the author of the ransomware decides to publish the master decryption key, it will be possible. However, as you understand the chances it would happen are very slim.

Link to post
Share on other sites
  • Most Valued Members
On 10/11/2018 at 10:24 PM, Marcos said:

If the author of the ransomware decides to publish the master decryption key, it will be possible. However, as you understand the chances it would happen are very slim.

What about the chances of cracking the encryption key?

Link to post
Share on other sites
  • Administrators
1 hour ago, Rami said:

What about the chances of cracking the encryption key?

It is not possible in the case of Crysis. I'd say one would need a very huge computing power to crack it within years.

Link to post
Share on other sites
  • Most Valued Members
1 hour ago, notimportant said:

Remi:

Well you can read this if you are curious - reddit.com/r/theydidthemath/comments/1x50xl/time_and_energy_required_to_bruteforce_a_aes256/

That was a good read, thanks for it.

Link to post
Share on other sites
  • Administrators
55 minutes ago, marley.maverick said:

ESET Crysis decryptor could be a solution? Has anyone tried?

 

No company has a decryptor for current and recent variants of Filecoder.Crysis. The one you are referring to is for very old variants which were decodable.

Link to post
Share on other sites

Hi

Yesterday we face the same ransomware alert on one of our servers and all our local and shared files were encrypted with gamma extension

All files like office documents, sql databases and backups, exe files, pictures and … ?

I send 1 jpg file for decryption and they send me back the correct file and ask for 0.8 btc for 1 PC

Any solution???

01.jpg

02.jpg

Edited by amirhrezaei
Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...