Jump to content

Harma Ransomware!


Recommended Posts

My computer is infected with Ransomware. All files are suffixed with harma. The virus file is called shaofao.exe. The email left by the virus is whitwellpark@aol.com

all File extension added   .id-1A90EC8C.[whitwellparke@aol.com].harma  ,for example:FileReading.exe.id-1A90EC8C.[whitwellparke@aol.com].harma,Original file is FileReading.exe

How can I decrypt it.


I have uploaded the file to dropfiles.

shaofao.exe is here!

zip password:1


randsomware letter test pc .jpg

Edited by Marcos
Links removed
Link to comment
Share on other sites

  • Administrators

Files were encrypted by Filecoder.Crysis. The detection was added in 2017. Typically this ransowmare is run by attackers after gaining access to the system via a brute-force RDP attack.

Please make sure to secure RDP. We also strongly recommend installing ESET Internet Security or ESET Smart Security Premium which can protect you both from brute-force attacks and possible exploitation of unpatched vulnerabilities in network protocols.

Note that ESET NOD32 Antivirus doesn't provide this kind of protection. In case you have a license for ESET NOD32 Antivirus, you can upgrade it for a small fee to any of the above mentioned products.

Link to comment
Share on other sites

3 hours ago, Marcos said:

I forgot to add that files encrypted by Filecoder.Crysis cannot be decrypted.

see here:



"A new tool to recover encrypted files

ESET has created a free decryption tool for Crysis ransomware victims in order to help any person whose data or devices have been affected by the Crysis family. The tool was developed using the master decryption keys recently published.

If you have been a victim of Crysis ransomware, you can find and download the ESET Crysis decryptor from our free utilities page. If you need additional information on how to use the tool, please refer to ESET Knowledgebase."

Link to comment
Share on other sites

  • Administrators

That was for first variants of Filecoder.Crysis that emerged in 2016. Newer variants could not be decrypted and such decryption tool exists for them.

Link to comment
Share on other sites

Appears you have also posted at bleepingcomputer.com about this: https://www.bleepingcomputer.com/forums/t/710297/harma-ransomware/ . They also confirmed that this and newer variants of Dharma (Crysis) ransomware cannot be decrypted.


Unfortunately, there is no known method to decrypt files encrypted by any of the newer Dharma (CrySiS) variants, including the .harma variant, without paying the ransom and obtaining the private keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. Without the master private RSA key that can be used to decrypt your files, decryption is impossible. That usually means the key is unique (specific) for each victim and generated in a secure way that cannot be brute-forced.


Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...