PCPartPicker

  • Log In
  • Register

Dharma Crysis Encryption (.java version)

Forum Search

Guidelines

  • Be respectful to others
  • No spam
  • No NSFW content
  • No piracy or key resellers
  • No link shorteners
  • Offensive content will be removed

Topic

tragiktimes101 13 months ago

So, at my work we a vulnerability led to us getting maleware. Specifically, it's the dharma crysis .java version. No ransom note, just changed file names with an email in the file name. Have been looking into this all morning, and the fixes seem to be hit and miss.

I've tried:

  • Kapersky's Rakhni, rannoh, shade, and wildfire decryptors.
  • I've also tried Avast's AES NI decryptor
  • Tried 7-zip (heard someone managed to get that to work)
  • ESET Crysis Decryptor.

Anyone have any other programs or methods they suggest?

Comments Sorted by:

Slingshott 1 Build 1 point 13 months ago

Maybe this: https://files.avast.com/files/decryptor/avast_decryptor_crysis.exe I don’t know? I just found this after a google. Im not a security specialist so i don’t know.

tragiktimes101 submitter 1 Build 1 point 13 months ago

Well, it's showing progress. We shall see.

tragiktimes101 submitter 1 Build 1 point 13 months ago

Looks like in order to finish the Avast Crysis Decryptor process, I will need to disable Microsoft Antimalware service. Problem is, that is pretty well locked down by Microsoft, and even changing the registry is proving difficult. Normally, I would restart in safe mode, but the PC is backing up data at the moment (will be for 7 hours) and won't be able to be rebooted during that time.

Ugh....

Any ideas?

Slingshott 1 Build 1 point 13 months ago

Move the file(s) to a different computer? I don’t know what ur dealing with so i can’t help u.

Slingshott 1 Build 1 point 13 months ago

And how urgent is the file decryption? Like do u need it tomorrow or next week. If you need it next week than wait for the backup to finish. Also check if your backup files might have malware.

tragiktimes101 submitter 1 Build 1 point 13 months ago

Well, the files are currently being backed up to an external hard drive for temporary storage. We run out conveyor system off of code that was on the afflicted network drive, so it's pretty urgent. I pulled the server and am working on it now off network. I am hopeful Recuva will find the deleted originals and I won't have to deal with it. You bet if I get it working that "btc@****.il" is going to get a friendly e-mail. ;)

TheShadowGuy 1 point 13 months ago

See if you can stop it through the service manager. Alternatively, if it is in Windows 10 you could use PowerShell using:

Set-MpPreference -DisableRealtimeMonitoring $true

That will stop the active monitoring and should let you finish using the decryption. Then just set the flag back to $false to re-enable.

If you are backing up the other data, you should wait for that to finish. I'd also recommend running scans with multiple scanning tools if you haven't already (not just Malwarebytes which isn't free for commercial use anyway, but likes of the Kaspersky Virus Removal Tool, McAfee Stinger, etc.).

Some "ransomware" doesn't actually bother encrypting files. You can test by copying a file, then changing the name of the copy back including old file extension. If the files are indeed encrypted, you would need the proper decryption tool to recover your files; if the version of ESET's and Avast's decryptors doesn't match the ransomware version you are afflicted with, it won't work.

tragiktimes101 submitter 1 Build 1 point 13 months ago

It is truly encrypted. I am running Recuva right now to see if I can find any of the deleted files (as they copy, encrypt, then delete originals). If they didn't overwrite the data that much, I may get lucky and still be able to recover it.

Who woulda thought I would become my works data recovery person overnight?

TheShadowGuy 1 point 13 months ago

Oof. If you do retrieve the data, you might consider dumping it elsewhere and re-imaging the affected computers before restoring the data to them.

Someone has to do it, I suppose. :P

insert comment about good backups here

tragiktimes101 submitter 1 Build 1 point 13 months ago

Well, it looked like it had potential, but my boss wiped the data without consulting me....

Maybe in the future (hopefully not) it will be helpful, lol.