Jump to content

Ransomware Dharma (.cezar Family)

Recommended Posts

Hello everyone,

Recently my Windows Server 2008 R2 server (with updates in day) was attacked by a Ransomware. Detail, the RDP port was opened for external access, I believe that this was used to the attack.

In addition to having damaged Windows, because it does not start any more, giving logon screen error (initialization failure of the interactive logon process ....), it encrypted my files.

The files was crypt and renamed to:

After a long searching and tips from friends, I was able to identify which Ransomware it was, through https://id-ransomware.malwarehunterteam.com.

According to the site, it is Ransomware Dharma (.cezar Family), but what I think strange is the extension of the files are finished with .bip and not .cezar.

Well, I've tried everything to decrypt the files and no success, I sent sample files to Dr. Web and they informed me that they can´t decrypt.

So I come to ask for help for you, if anyone knows how to decrypt this type of Ransomware please help me.

Best Regards

Share this post

Link to post

helpppppppp......Good morning friend, I have a problem with a .bip ransomware and I need to decipher the files by chance have you managed to recover the information?

Share this post

Link to post

I have not got anything yet.

I am trying to recover the files with these companies specialized in file recovery. But I have not had any response from them yet.

If someone finds a solution please post, if I find something I'll post it too

Good luck

Share this post

Link to post

Hi Marcio,

I don’t had success yet. 

I tried every tools and nothing. 

If you have success, please say us. 

Share this post

Link to post

I wonder if anyone could help me with some non-expensive workaround to decrypt my files from my personal computer. They were all encrypted on Hard Disk (HD). The message that appeared on the screen of the computer made by the criminals is:

a) mail: koreyrandle@aol.com
b) mail: malchy.m@aol.com

the encrypted files have the following extension:

id-F62DE22F. @ Koreyrandle @ aol.com

gamma ransomware.jpg

Share this post

Link to post
On 10/23/2018 at 7:56 PM, The Shield said:

Welcome Marcio TI Fernandes, try with this Kaspersky Tool: https://support.kaspersky.com/10556


I tried, and my files are still not supported:  See report below please: 

17:41:26.0392 0x25c0  Trojan-Ransom.Win32.Rakhni decryption tool May 18 2018 12:16:22
17:41:27.0344 0x25c0  ============================================================
17:41:27.0344 0x25c0  Current date / time: 2018/11/24 17:41:27.0344
17:41:27.0344 0x25c0  SystemInfo:
17:41:27.0344 0x25c0  
17:41:27.0344 0x25c0  OS Version: 6.2.9200 ServicePack: 0.0
17:41:27.0344 0x25c0  Product type: Workstation
17:41:27.0344 0x25c0  ComputerName: SYD-L-CY01
17:41:27.0345 0x25c0  UserName: yhchong
17:41:27.0345 0x25c0  Windows directory: C:\WINDOWS
17:41:27.0345 0x25c0  System windows directory: C:\WINDOWS
17:41:27.0345 0x25c0  Running under WOW64
17:41:27.0345 0x25c0  Processor architecture: Intel x64
17:41:27.0345 0x25c0  Number of processors: 4
17:41:27.0345 0x25c0  Page size: 0x1000
17:41:27.0345 0x25c0  Boot type: Normal boot
17:41:27.0345 0x25c0  ============================================================
17:41:31.0007 0x25c0  Initialize success
17:41:52.0248 0x3f34  Number of worker threads: 4
17:42:14.0853 0x3f34  File path: E:\My Pictures\2011 KK Trip\2011 KK Trip 001.jpg.id-6DE7A47F.[files.recovery@foxmail.com].bip
17:42:18.0585 0x3f34  File is not supported: E:\My Pictures\2011 KK Trip\2011 KK Trip 001.jpg.id-6DE7A47F.[files.recovery@foxmail.com].bip
17:42:26.0517 0x28c0  Number of worker threads: 4
17:42:45.0127 0x28c0  File path: E:\My Pictures\2011 SG trip\2011-12 SG Trip 006.jpg.id-6DE7A47F.[files.recovery@foxmail.com].bip
17:42:49.0904 0x28c0  File is not supported: E:\My Pictures\2011 SG trip\2011-12 SG Trip 006.jpg.id-6DE7A47F.[files.recovery@foxmail.com].bip


Share this post

Link to post

Welcome no2.

Take a look also at the utilities offered by Kaspersky: https://support.kaspersky.com/viruses/utility
If you are a Kaspersky user with a valid license, open a support ticket in My Kaspersky account, send a sample of an encrypted file and if you have the same unencrypted file.
More information about your encrypted files: https://id-ransomware.malwarehunterteam.com

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We use cookies to make your experience of our websites better. By using and further navigating this website you accept this. Detailed information about the use of cookies on this website is available by clicking on more information.