ljs3508 0 Posted December 27, 2019 Share Posted December 27, 2019 (edited) My computer is infected with Ransomware. All files are suffixed with harma. The virus file is called shaofao.exe. The email left by the virus is whitwellpark@aol.com all File extension added .id-1A90EC8C.[whitwellparke@aol.com].harma ,for example:FileReading.exe.id-1A90EC8C.[whitwellparke@aol.com].harma,Original file is FileReading.exe How can I decrypt it. thanks! I have uploaded the file to dropfiles. shaofao.exe is here! zip password:1 Edited December 27, 2019 by Marcos Links removed Link to comment Share on other sites More sharing options...
Administrators Marcos 4,539 Posted December 27, 2019 Administrators Share Posted December 27, 2019 Files were encrypted by Filecoder.Crysis. The detection was added in 2017. Typically this ransowmare is run by attackers after gaining access to the system via a brute-force RDP attack. Please make sure to secure RDP. We also strongly recommend installing ESET Internet Security or ESET Smart Security Premium which can protect you both from brute-force attacks and possible exploitation of unpatched vulnerabilities in network protocols. Note that ESET NOD32 Antivirus doesn't provide this kind of protection. In case you have a license for ESET NOD32 Antivirus, you can upgrade it for a small fee to any of the above mentioned products. Link to comment Share on other sites More sharing options...
ljs3508 0 Posted December 27, 2019 Author Share Posted December 27, 2019 Thank you for your reply. Can you provide decryption tools? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,539 Posted December 27, 2019 Administrators Share Posted December 27, 2019 I forgot to add that files encrypted by Filecoder.Crysis cannot be decrypted. Link to comment Share on other sites More sharing options...
ljs3508 0 Posted December 27, 2019 Author Share Posted December 27, 2019 Thank you! Link to comment Share on other sites More sharing options...
local 0 Posted December 27, 2019 Share Posted December 27, 2019 3 hours ago, Marcos said: I forgot to add that files encrypted by Filecoder.Crysis cannot be decrypted. see here: https://www.securitynewspaper.com/2016/11/24/new-decryption-tool-crysis-ransomware/ "A new tool to recover encrypted files ESET has created a free decryption tool for Crysis ransomware victims in order to help any person whose data or devices have been affected by the Crysis family. The tool was developed using the master decryption keys recently published. If you have been a victim of Crysis ransomware, you can find and download the ESET Crysis decryptor from our free utilities page. If you need additional information on how to use the tool, please refer to ESET Knowledgebase." Link to comment Share on other sites More sharing options...
Administrators Marcos 4,539 Posted December 27, 2019 Administrators Share Posted December 27, 2019 That was for first variants of Filecoder.Crysis that emerged in 2016. Newer variants could not be decrypted and such decryption tool exists for them. Link to comment Share on other sites More sharing options...
itman 1,495 Posted December 27, 2019 Share Posted December 27, 2019 Appears you have also posted at bleepingcomputer.com about this: https://www.bleepingcomputer.com/forums/t/710297/harma-ransomware/ . They also confirmed that this and newer variants of Dharma (Crysis) ransomware cannot be decrypted. Quote Unfortunately, there is no known method to decrypt files encrypted by any of the newer Dharma (CrySiS) variants, including the .harma variant, without paying the ransom and obtaining the private keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. Without the master private RSA key that can be used to decrypt your files, decryption is impossible. That usually means the key is unique (specific) for each victim and generated in a secure way that cannot be brute-forced. Link to comment Share on other sites More sharing options...
Recommended Posts