Jump to content

Are we infected and can I salvage my data

Recommended Posts

I work for a small company and we use remote desktop to connect to the office server. 

I've connected today after the holiday break only to find that a load of files have ".id-9011AEDE.[youfiles@qq.com].adobe" tagged on to the end.

Googling it does return the above extension but the ransom virus is suggested. When I logged on there was no ransom note and I can't find any of the ransom note files.

So any idea what it may be. I haven't yet tried to install anything as I've read that it will just get encrypted.

Is there something I can do?


Link to post
Share on other sites

OK doesn't look good. I uploaded a .txt file which was basically a method to leave notes on a desktop so may be blank may not be! Here's the response. The actual encrypted file is called "Nuevo documento de texto.txt.id-9011AEDE.[youfiles@qq.com]"

Dharma (.cezar Family)

This ransomware has no known way of decrypting data at this time.

It is recommended to backup your encrypted files, and hope for a solution in the future.

Identified by

  • sample_extension: .id-<id>.[<email>].adobe
  • sample_bytes: [0x1F60 - 0x1FA0] 0x00000000020000000CFE7A410000000000000000000000002000000000000000
  • custom_rule: Original filename "Nuevo documento de texto.txt" after filemarker


Click here for more information about Dharma (.cezar Family)


Would you like to be notified if there is any development regarding this ransomware? Click here.

Link to post
Share on other sites

Incidentally I was looking at the recycle bin and there are about 700 files in there with no name just a wee icon under name. It has a date with a ridiculous century (2034 for example), sizes look massive but they all have the same date 6th January this year at 13:10.

Is this an indication of  something. 

We use remote desktop connection to access the server. I have read that there is a security issue whereby hackers can attack the passwords. Is this what has happened and they 'broke through" on the above date. Or has an innocent user spread the virus, again on the above date.

If either one of them how would we know which one?

Link to post
Share on other sites

By the way I missed off the extension in a previous post, It should have said "Nuevo documento de texto.txt.id-9011AEDE.[youfiles@qq.com].adobe so I don't understand why it's reported as Dharma (.cezar Family) rather than say Dharma (.adobe Family)

Link to post
Share on other sites

  • 4 weeks later...
8 hours ago, AdvancedSetup said:

Hello @Ryetee

The site id-ransomware should have given you further instruction and let you know if you recover or not



I work remotely and RDP Into the network and then sign on with my own user id. the sign on I have didn't have a note of any sorts. No one else has reported it either. 

Link to post
Share on other sites

  • 1 month later...
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.