Results 1 to 5 of 5

Thread: Dharma Ransomware help :(

  1. #1
    katongpool's Avatar
    Joined
    May 2020
    Posts
    100
    Userbars
    6
    Thanks
    103
    Thanked
    79/28
    DL/UL
    15/0
    Mentioned
    6 times
    Time Online
    6d 2h 46m
    Avg. Time Online
    6m

    Dharma Ransomware help :(

    Hi all,

    We just found out that one of the computers at the office got infected with the ransomware, Dharma. After some initial research on Google, it was probably through the Remote Desktop Protocol that we have been using. Just wondering if anyone would have any words of advice on how to proceed? If not, some words of consolation would be nice too.

  2. #2
    Reemer's Avatar
    Joined
    Dec 2011
    Posts
    639
    Userbars
    8
    Thanks
    364
    Thanked
    446/256
    DL/UL
    39/0
    Mentioned
    203 times
    Time Online
    4d 13h 47m
    Avg. Time Online
    1m
    Hopefully you have backups, but sorry there's not a lot to do now. You could have a shop perform forensics on whatever server(s) were affected. Unfortunately, that will be expensive. At my job, I think we charge $300/hour for forensics work, it might be $325 now.
    In the future, don't have RDP enabled from the internet. It's just asking for trouble. You should have users log into the VPN first and enable RDP from the VPN subnet.

    Don't try to hide RDP by putting it behind another port either, it doesn't really fix anything. Enable two factor on every logon possible. I believe ransomware has been stealing confidential data before encrypting these days, so you have that to worry about as well. To be honest with you, I would probably call a local forensics place and get a consultation. You may still be infected. Do you have a SIEM so you can search logs? You could also install sysmon ((you need an account to see links)) with the networking option enabled. That's what we do when working a forensics case -- install sysmon first to get an in-depth look at what's running (and the hashes for processes that are running as well).

  3. The Following 6 Users Say Thank You to Reemer For This Useful Post:

    j03 (10-15-2020),katongpool (10-15-2020),Mama Bear (10-15-2020),motherfucker (10-15-2020),♥ PrettySarcastic ♥ (10-15-2020),Stardust (10-15-2020)

  4. #3
    katongpool's Avatar
    Joined
    May 2020
    Posts
    100
    Userbars
    6
    Thanks
    103
    Thanked
    79/28
    DL/UL
    15/0
    Mentioned
    6 times
    Time Online
    6d 2h 46m
    Avg. Time Online
    6m
    Quote Originally Posted by Reemer View Post
    Hopefully you have backups, but sorry there's not a lot to do now. You could have a shop perform forensics on whatever server(s) were affected. Unfortunately, that will be expensive. At my job, I think we charge $300/hour for forensics work, it might be $325 now.
    In the future, don't have RDP enabled from the internet. It's just asking for trouble. You should have users log into the VPN first and enable RDP from the VPN subnet.

    Don't try to hide RDP by putting it behind another port either, it doesn't really fix anything. Enable two factor on every logon possible. I believe ransomware has been stealing confidential data before encrypting these days, so you have that to worry about as well. To be honest with you, I would probably call a local forensics place and get a consultation. You may still be infected. Do you have a SIEM so you can search logs? You could also install sysmon ((you need an account to see links)) with the networking option enabled. That's what we do when working a forensics case -- install sysmon first to get an in-depth look at what's running (and the hashes for processes that are running as well).
    Thank you so much! I'll definitely pass this on to my colleagues.

    Also wondering if anyone has any experience with just biting the bullet and paying the ransom? Thinking it might be one of the few viable ways out of this mess. :/

  5. #4
    Crazy Cat Lady PrettySarcastic's Avatar
    Joined
    Jun 2015
    Posts
    2,203
    Pronouns
    she/her
    Userbars
    56
    Thanks
    4,482
    Thanked
    6,589/1,483
    DL/UL
    47/0
    Mentioned
    392 times
    Time Online
    163d 17h 35m
    Avg. Time Online
    1h 13m
    Quote Originally Posted by katongpool View Post
    Thank you so much! I'll definitely pass this on to my colleagues.

    Also wondering if anyone has any experience with just biting the bullet and paying the ransom? Thinking it might be one of the few viable ways out of this mess. :/

    Disclaimer - I do not have personal experience with this, but I'll offer some internet sourced opinions for you in case they help and no one else offers their actual real life "this happened to me"?

    (The overwhelming answer seems to be do not pay... There is no guarantee that paying will restore access to your PC or your files, and could just end up getting you extorted again because you've proven to be a lucrative target.)

    (you need an account to see links)

    (you need an account to see links)

    (you need an account to see links)




    graphics by Flordibel & Menine <3

  6. The Following 2 Users Say Thank You to PrettySarcastic For This Useful Post:

    Babaa (12-05-2020),katongpool (10-20-2020)

  7. #5
    katongpool's Avatar
    Joined
    May 2020
    Posts
    100
    Userbars
    6
    Thanks
    103
    Thanked
    79/28
    DL/UL
    15/0
    Mentioned
    6 times
    Time Online
    6d 2h 46m
    Avg. Time Online
    6m
    Quote Originally Posted by PrettySarcastic View Post
    Disclaimer - I do not have personal experience with this, but I'll offer some internet sourced opinions for you in case they help and no one else offers their actual real life "this happened to me"?

    (The overwhelming answer seems to be do not pay... There is no guarantee that paying will restore access to your PC or your files, and could just end up getting you extorted again because you've proven to be a lucrative target.)

    (you need an account to see links)

    (you need an account to see links)

    (you need an account to see links)
    Thank you, this is so helpful!

    Yeah... my boyfriend is saying that, ideally, our IT person would have maintained a backup of the server and we can just wipe the entire hard drive and restore the backup.

  8. The Following User Says Thank You to katongpool For This Useful Post:


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •