.roger ransomware decryption

[Jan Boers]

Hello,

Is there anyone who has decrypt the .roger infected files with randsomware?
My virusscanner has blocked the randsomware, but I can not decrypt the files.

Thanks for reply...

With kind regards,
Jan

 

[struppigel]

Hello Jan

I am Karsten and will gladly help you with any malware-related problems.

Please familiarize yourself with the following ground rules before you start.

• Read my instructions thoroughly, carry out each step in the given order.
• Do not make any changes to your system, or run any tools other than those I provided. Do not delete, fix, uninstall, or install anything unless I tell you to.
• If you are unsure about anything or if you encounter any problems, please stop and inform me about it.
• Stick with me until I tell you that your computer is clean. Absence of symptoms does not mean that your computer is free of malware.
• Back up important files before we start.
• Note: On weekends I might be slow to reply

-------------------------------------------------------------------

Step 1: Ransomware Identification

The file extension .roger has been used by Dharma ransomware. There is currently no way to decrypt files encrypted by Dharma.

Please upload an encrypted file and a ransom note to id-ransomware to confirm that it is indeed Dharma ransomware. Tell me the result.

 

[Jan Boers]

Hello Struppigel,

Thanks for your reply.
Yes, it is the Dharma ransomware.
Here is the result (in dutch )

1 Result​

Dharma (.cezar Family)​

Deze ransomware kan momenteel niet gedecrypteerd worden.

Het is aangeraden om ook een back-up te nemen van uw geëncrypteerde bestanden - mogelijk komt er nog een oplossing voor het decrypteren van uw bestanden.​

Geïdentificeerd door:

• sample_extension: .id-<id>.[<email>].ROGER
• sample_bytes: [0x13E0 - 0x13EB] 0x00000000020000000CFE7A41
• custom_rule: Original filename "90msp-rksj-h.cmap" after metadata

Klik hier voor meer informatie over Dharma (.cezar Family)​

 

[struppigel]

This ransomware is not decryptable. The options you have right now are the following:

1) Recovery: In rare cases ransomware fails to delete shadow volume copies or fails to delete the original files properly. You can try to recover files via shadow volume copies and file recovery software. The success rate is very low, though.
2) Wait: Backup encrypted files and a ransom note and wait in case a solution comes up later. Maybe law enforcement gets hands on the keys or the criminals publish the keys as it happened with, e.g., GandCrab. I suggest reading the news on this.
3) Pay: There is the option of paying the criminals, but we highly recommend against this step. You will just fund later attacks. You may also pay without getting your files back. These are criminals and as such not trustworthy.

Please let me know if you want assistance with recovery.

 

[Jan Boers]

Thanks for the reply. We restore the backup. We don't pay criminals...

 

[struppigel]

Is there anything else I can help you with?