Frequently Asked Questions
What is the process to recover from a Dharma/PHOBOS Ransomware infection?
This applies to Dharma/Phobos Ransomware only
Please follow this instructions below very carefully to avoid delays or unnecessary additional cost. If you require assistance, please reach out to us and we can provide the service at an additional cost if you require technical support.
1. KEEP ALL COMMUNICATION THROUGH THIS TICKET BY SIMPLY REPLYING TO THIS EMAIL.
2. Please white-list our domain name from your Junk/Spam/clutter folder to ensure flow of communication.
3. Its highly recommended that you take a full backup to an external hard disk and have it removed from the system/network prior to our recovery. This is an additional precautionary measure for you.
4. Please run antivirus & malware software like Malwarebytes and ccleaner and scan all your PC and remove all detected files. (both are FREE - no need to purchase!)
5. Ensure you system is protected internally and externally from ransomware attacks
NOTE: We provide a complete Ransomware Prevention & Network Security Audit to ensure your system is safe from a re-infection. The cost for this service is $750.00 Australian Dollars ($523 USD approx) per server and $120 per PC ($83 USD approx). (This should be done in addition to step 4 and prior to decrypting your data)
* If you have more than 10 PCs the cost is $70 per PC ($49 USD)
WE HIGHLY RECOMMEND USING OUR PREVENTION SERVICE TO ENSURE YOUR DATA IS DECRYPTED ON A RANSOMWARE-CLEAN SYSTEM. OUR RANSOMWARE PREVENTION IS DONE SIMULTANEOUSLY TO THE RECOVERY TO AVOID ANY DELAYS IN RETURNING YOUR FILES.
Our Ransomware prevention team is separate from our Ransomware recovery team to avoid any unnecessary delays.
For more information, please visit https://fastdatarecovery.com.au/ransomware-recovery/ransomware-prevention-protection-service/
6. This quote is for ONE ID/KEY received on this ticket (unless indicated on the quote), if you have multiple ID's please let us know immediately.
In most of the recent Dharma/Phobos variant cases we discovered a multi-key link where the decryption key is spread around all the IDs on the network. A method hackers use to force a full recovery of all the IDs. We have a simple solution where we can extract valuable information for the additional IDs without having to pay for a full recovery. Its a small fee to do a partial recovery when compared to full recovery.
TO AVOID ANY UNNECESSARY DELAYS WITH THE RECOVERY, PLEASE SEND US A SAMPLE OF EACH ID IMMEDIATELY.
7. PLEASE FOLLOW THE STEPS BELOW CAREFULLY (EXTREMELY IMPORTANT)
FDR CAN RECOVER DATA ON THE ORIGINAL INFECTED SERVER/PC ONLY IF YOU OPTED FOR OUR RANSOMWARE PREVENTION SERVICE AS THE RISK OF A REINFECTION IS VERY HIGH
Please run the remote access on a clean computer if you are doing your own ransomware prevention or run the remote access on the original infected system if you have opted for our ransomware prevention
Sub-key Recovery Extraction Procedure / FDR Scan
We will need to run a scan tool to extract the sub-keys embedded on your files
TIP: Dharma/PHOBOS Ransomware contains 2 decryption key (the first decryption key we will run on multiple servers at our data centre until we reverse engineer the decryption code and the second key is captured from your encrypted files).
The Scan tool can only be run once (if we need to re-run the scan tool for whatever reason a further charge may apply).
ONLY the IDs you wish to have recovered can be on the system
ITS EXTREMELY IMPORTANT that you check/confirm the following:
i. BACKUP YOUR FILES you wish to have decrypted to a USB hard disk In order to run the scan tool. (we suggest using www.smartsync.com - you can use a free 30 days trial)
You do not need to this step if you have opted for our ransomware prevention however its always advisable to take a copy of the original infected data
Note 1: Please do not connect a decrypted hard disk or map a network drive to a new PC as it will often have file permission issues which will result in files not being scanned and subsequently will not decrypt.
Note 2: Ensure the computer we connect to have FULL Admin privileges with full read/write permissions to the copied files.
Note 3: ALL FILES to be decrypted must be copied to the same machine.
ii. Supply Fast Data Recovery with your admin username and password as we often find creating a new username and password
Tip: Please change your password and provide us with a temporary password.
iii. Note: All files must have the same ID. if you have more than 1 ID please notify us immediately.
iv. Ensure all your files are not in a deep level folder - we can only recover files for up to 155 characters deep (this includes folder and file path). Once the recovery is completed we can provide you with a report of the deep level folders that you may need to shorten the folder\file path in order to recover.
ONLY FILES PART OF THE INITIAL SCAN CAN BE DECRYPTED.
ANY FILES YOU WISH TO HAVE DECRYPTED AFTER THIS STEP WILL INCUR A CHARGE
The steps above will ensure a trouble free recovery. If its not possible to have all files copied to a different computer due to any limitation, we can run the scan directly on your infected server (one only) where the data resides, however you will run the risk of some files not decrypting (copying the files to a clean computer is the only guarantee that files will decrypt without any problems)
Kindly, update the ticket once done and include your server admin username and password to avoid any unnecessary delays.