Dharma (.Cezar) ransomware

Jose Bredariol
Jose Bredariol used Ask the Experts™
on
My client was got by this ransomware. How can I decrypt the files ?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Adam BrownSenior Systems Admin
Top Expert 2010
Commented:
https://id-ransomware.malwarehunterteam.com/ has a good tool to use for identifying the ransomware variant and determining what is available to break the encryption. There may not be a way to decrypt the files without paying the ransom (Avoid paying at all risks...It encourages the spread of ransomware). If the client has a good backup, restore that.
Dariusz TykaICT Infrastructure Specialist Senior
Commented:
There is decryptol tool from Rakhni. More info:
https://www.nomoreransom.org/en/decryption-tools.html
Direct download link: http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip

You need to check if it works for you.
btanExec Consultant
Distinguished Expert 2018
Commented:
Can try to use idransomware to confirm the type and see if there are tools available.
https://id-ransomware.malwarehunterteam.com
Upload a ransom note and/or sample encrypted file to identify the ransomware that has encrypted your data.

In the past it is named Crysis ransomware which has a decryptor
but it is likely not going to work for this variant. A full list of decryptor.
https://www.avast.com/ransomware-decryption-tools

Backup data to be recovered is your last resort and likely approach. I strongly discourage paying the ransomware.
CompTIA Cloud+

The CompTIA Cloud+ Basic training course will teach you about cloud concepts and models, data storage, networking, and network infrastructure.

Author

Commented:
I´ve tried with rakhni, but no result. The ransom is Dharma (.Cezar).
Any other tool ?
Exec Consultant
Distinguished Expert 2018
Commented:
Afraid not. Backup those encrypted files on view someone releases any tool in future. Rebuild system, recover from backup data and move on..

There are variants that has extension supposedly is .Cesar instead.
https://www.bleepingcomputer.com/forums/t/654592/ransomware-with-cesar-extension/

Author

Commented:
Thanks all.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial