Ransonware *.DcRat encrypted files


I am in the EXACT same boat and my computer was attacked almost at the exact same time it seems as yours. I noticed it as it was happening though and quickly pulled the power plug from the back of the machine. Over 70k of my files now have the .DcRAT file extension. 😕 Strangely, there was not one ransome note left anywhere on my medicine... did you have one left on yours? Perhaps I interrupted the process before it was complete and that's why.

I do have some potentially positive news though! Despite what several of the apparently misinformed and unaware persons above have stated this ransomware can in fact be decrypted. There is basically only one person in the world though (aside from the idiot who attacked our machines of course) who can help us. He's just a nice guy with a special gift who helps people in his spare time. You need to contact him via the bleepingcomputer.com forum and/or visit the ID-Ransomware site and upload one of the encrypted files and it will identify the type of ransomware (DcRAT, which is apparently a variant of Lime ransomware, which is a variant of HiddenTear ransomware.) and it will direct you to this Twitter thread and basically tell you to DM/message Michael and take a number and wait patiently.

Here is the Bleeping Computer site forum topic discussing this particular malware where you can also try to contact Michael/you can see my message to him here as well: Lime-Rat (HiddenTear) Ransomware Support Topic - Page 3 - Ransomware Help & Tech Support

Another potentially but probably not very helpful resource unfortunately is this decryptor tool that Michael already made for HiddenTear ransomware and its spawned variants but I ran this for over 8 hours and it didn't work for me so I'm not sure that it will work for you either but give it a try!

That Dark Crystal DCRat malware thing that someone else above linked to is actually something different than what we are dealing with, though I thought the same thing myself at first. Actually, the source code and sketchy sales site for @$$hole "hackers" to buy the tools that were used to infect our computers are located here and here. I don't think there's any benefit to reaching out to any of the sketchy people at those websites and I don't think that downloading their software is a good idea either and would be pointless anyway because we still wouldn't have the specific encryption key that was generated when whatever terrible person took over our machines.

Hopefully this information is helpful for you. I've been waiting since Friday now for this Michael person to respond and it might be a while before he's able to help it seems unfortunately :-(.

Yes yes, make sure you always have a quality backup system in place, blah blah blah. ✅ Also everyone else above should become a little more educated before they chime in and say things that aren't quite the case here. There is possibly a chance that your files can be decrypted... fingers crossed! 🤞🏻
Welcome to ElevenForum, @richaardvark.

Good information has been given by @glasskuter, @Nobody and @DigitalGoat.

BTW, from everything I have seen so far, DC Rat isn't Ransomware; it's especially complicated malware. Thing is, with this type of malware, it's not going to be easy to fight off, and with the many variables out there, it's not going to be easy to find something that will work.

Bottom line for me: Don't discount anyone trying to help. No one has the final word on how to get rid of this malware. Not you, not I, not anyone!

Lastly, I find it pretty scary to actually depend on someone who is supposed to be the only one who knows how to get rid of DC Rat.

FURTHERMORE! Why hasn't he/she published the information on how to get rid of DC Rat online as far and wide as possible!?! I know that if I could figure it out, my conscience wouldn't leave me alone until I published documentation on how to resolve the problem!

So, I look at only "one" individual being able to handle this malware with skepticism!
 

My Computers

System One System Two

  • OS
    Windows 11 23H2 22631.2861
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP Envy TE01-1xxx
    CPU
    Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz 2.90 GHz
    Motherboard
    16.0GB Dual-Channel Unknown @ 1463MHz (21-21-21-47)
    Memory
    16384 MBytes
    Graphics Card(s)
    Intel UHD Graphics 630
    Sound Card
    Realtek High Definition Audio
    Monitor(s) Displays
    Monitor 1 - Acer 27" Monitor 2 - Acer 27"
    Screen Resolution
    1920 x 1080
    Hard Drives
    WDC PC SN530 SDBPNPZ-512G-1006 (SSD)
    Seagate ST1000DM003-1SB102
    Seagate BUP Slim SCSI Disk Device (SSD)
    PSU
    HP
    Case
    HP
    Cooling
    Standard
    Keyboard
    Logitech Wave K350
    Mouse
    Logitech M705
    Internet Speed
    500 mbps
    Browser
    Firefox
    Antivirus
    Windows Defender
    Other Info
    That's all Folks!
  • Operating System
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP
    CPU
    Intel Core i7 (10th gen) 10700
    Motherboard
    Intel
    Memory
    16 GB
    Graphics card(s)
    Intel UHD Graphics 630
    Sound Card
    Built-in
    Monitor(s) Displays
    Acer 27" & Samsung 24"
    Screen Resolution
    1920 x
    Hard Drives
    SSD (512 GB)
    HDD (1 TB)
    Seagate
    PSU
    Intel i7 10th Generation
    Case
    HP
    Cooling
    HP/Intel?
    Mouse
    Logitech M705
    Keyboard
    Logitech Wave K350
    Internet Speed
    50 mbps
    Browser
    Firefox 90.2
    Antivirus
    Windows Defender
    Other Info
    Headphone/Microphone Combo
    SuperSpeed USB Type-A (4 on front)
    HP 3-in-One Card Readr
    SuperSpeed USB Type-C
    DVD Writer
@J3trooper I am with the voices that say that your best chance is to seek help at bleepingcomputer.com

+ buy a new computer, work with bleepingcomputer.com from the new computer, don't connect your old computer to the Internet anymore and keep the old computer disconnected from power (not just switched off) whenever possible, and after working on the old computer the best you can, throw the old computer away, don't even donate it. Be very careful that you don't infect your new computer, ask bleepingcomputer.com how to best handle scan results and the like.

The following suggests that you may be having issues beyond the computer (such as having your name connected to activities that you did not do) > report the incident to local law enforcement ASAP

 
Last edited:

My Computer

System One

  • OS
    Windows 10 Pro
Some of this is like trying to convert an old East German (Pre Fall of Berlin Wall) trabant Car into a modern BMW with GPS, power steering, anti-skid brakes, fuel injection etc etc,.

Unless you are very lucky - or have an inordinate amount of time to spare this just can't be done (currently) by us "mere mortals" -- you might have some colleagues in the security services or those who lurk on darker corners of the web who possibly could help but for most it's unlikely.

I think you'll just have to say to yourself "Lesson learned" - and adopt the philosophy that's used in a commercial for a large British Supermarket -- "When it's Gone ... It's Gone".

If you want to keep the computer it can still be used safely provided you disconnect from Internet and run a program booted from an external USB stick to physically write 'X00' (Hex zero or random hex digits) to every physical area on the HDD -- and if you can precede that with a Low level" firmware" format even better. The physical write must be direct Disk I/O system writes as per microcode-- not under control of an OS like Windows with its own file system and I/O routines.

Once you've done that the HDD is quite safe again.

Not going to repeat the other stuff you've probably heard "ad Nauseam",

Cheers
jimbo
 

My Computer

System One

  • OS
    Windows XP,7,10,11 Linux Arch Linux
    Computer type
    PC/Desktop
    CPU
    2 X Intel i7
@jimbo45 Is your attempt to make the computer safe again, not like

"trying to convert an old East German (Pre Fall of Berlin Wall) trabant Car into a modern BMW with GPS, power steering, anti-skid brakes, fuel injection etc etc,."
 

My Computer

System One

  • OS
    Windows 10 Pro
@J3trooper I am with the voices that say that your best chance is to seek help at bleepingcomputer.com

+ buy a new computer, work with bleepingcomputer.com from the new computer, don't connect your old computer to the Internet anymore and keep the old computer disconnected from power (not just switched off) whenever possible, and after working on the old computer the best you can, throw the old computer away, don't even donate it. Be very careful that you don't infect your new computer, ask bleepingcomputer.com how to best handle scan results and the like.

The following suggests that you may be having issues beyond the computer (such as having your name connected to activities that you did not do) > report the incident to local law enforcement ASAP


No need to abandon the computer. The article you linked doesn't even mention reinstalling Windows, although it does mention that removing may not always be enough. Overwriting the entire hdd and reinstalling Windows is what probably need to do.
 

My Computer

System One

  • OS
    Windows 11 Pro 23H2 (22631.3155)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 5600X
    Motherboard
    Asus TUF Gaming B550-Plus
    Memory
    Kingston 16GB (2 x 8GB) DDR4 3200MHz
    Graphics Card(s)
    Gigabyte Radeon RX 580 AORUS 8GB GDDR5
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1920X11080
    Hard Drives
    Samsung 970 EVO Plus NVMe M.2 500GB (OS)
    Samsung 980 NVMe 1TB (Games)
    Samsung 860 EVO 250GB
    Samsung 850 EVO 250GB (Music)
    PSU
    Super Flower / Leadex 750W 80Plus Titanium
    Cooling
    SilentiumPC Fortis 3 HE1425 v2
    Keyboard
    Logitech K520
    Mouse
    Logitech G700S
    Internet Speed
    50mbps/10mbps
    Browser
    Firefox, Chrome, Edge, Opera
    Antivirus
    Windows Defender
That's a computer that was (and perhaps still is) under control of an attacker, sufficiently long to encrypt files and thereby hide what else he was doing. I would never trust such a computer again, may be you would, your choice.
 

My Computer

System One

  • OS
    Windows 10 Pro
I'm just wondering if the malware can affect the BIOS. Hopefully I'm not asking for trouble.
 

My Computers

System One System Two

  • OS
    Windows 11 23H2 22631.2861
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP Envy TE01-1xxx
    CPU
    Intel(R) Core(TM) i7-10700 CPU @ 2.90GHz 2.90 GHz
    Motherboard
    16.0GB Dual-Channel Unknown @ 1463MHz (21-21-21-47)
    Memory
    16384 MBytes
    Graphics Card(s)
    Intel UHD Graphics 630
    Sound Card
    Realtek High Definition Audio
    Monitor(s) Displays
    Monitor 1 - Acer 27" Monitor 2 - Acer 27"
    Screen Resolution
    1920 x 1080
    Hard Drives
    WDC PC SN530 SDBPNPZ-512G-1006 (SSD)
    Seagate ST1000DM003-1SB102
    Seagate BUP Slim SCSI Disk Device (SSD)
    PSU
    HP
    Case
    HP
    Cooling
    Standard
    Keyboard
    Logitech Wave K350
    Mouse
    Logitech M705
    Internet Speed
    500 mbps
    Browser
    Firefox
    Antivirus
    Windows Defender
    Other Info
    That's all Folks!
  • Operating System
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP
    CPU
    Intel Core i7 (10th gen) 10700
    Motherboard
    Intel
    Memory
    16 GB
    Graphics card(s)
    Intel UHD Graphics 630
    Sound Card
    Built-in
    Monitor(s) Displays
    Acer 27" & Samsung 24"
    Screen Resolution
    1920 x
    Hard Drives
    SSD (512 GB)
    HDD (1 TB)
    Seagate
    PSU
    Intel i7 10th Generation
    Case
    HP
    Cooling
    HP/Intel?
    Mouse
    Logitech M705
    Keyboard
    Logitech Wave K350
    Internet Speed
    50 mbps
    Browser
    Firefox 90.2
    Antivirus
    Windows Defender
    Other Info
    Headphone/Microphone Combo
    SuperSpeed USB Type-A (4 on front)
    HP 3-in-One Card Readr
    SuperSpeed USB Type-C
    DVD Writer
The attacker could (and perhaps still can) do anything with the computer. And the issue may extend beyond the computer into the personal, like sending scam emails under the OP's name and directing the 'results' to the attacker which is now all hidden. Note, that attackers have tool kits like Office 365 for malware (Malware 365) Anyway, I said it all in post #22.
 

My Computer

System One

  • OS
    Windows 10 Pro
That's a computer that was (and perhaps still is) under control of an attacker, sufficiently long to encrypt files and thereby hide what else he was doing. I would never trust such a computer again, may be you would, your choice.

This malware is not state-level but can be purchased for 500 rubles from certain forums. As mentioned in the link hsehestedt posted earlier. Sure annoying, but nothing you couldn’t get rid of.

I'm just wondering if the malware can affect the BIOS. Hopefully I'm not asking for trouble.

I tried to search for information and could not find any mention that this could modify the bios. In general, BIOS / UEFI (firmware) virus's exist but are very rare.

Microsoft community - Question about bios virus
 

My Computer

System One

  • OS
    Windows 11 Pro 23H2 (22631.3155)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 5 5600X
    Motherboard
    Asus TUF Gaming B550-Plus
    Memory
    Kingston 16GB (2 x 8GB) DDR4 3200MHz
    Graphics Card(s)
    Gigabyte Radeon RX 580 AORUS 8GB GDDR5
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1920X11080
    Hard Drives
    Samsung 970 EVO Plus NVMe M.2 500GB (OS)
    Samsung 980 NVMe 1TB (Games)
    Samsung 860 EVO 250GB
    Samsung 850 EVO 250GB (Music)
    PSU
    Super Flower / Leadex 750W 80Plus Titanium
    Cooling
    SilentiumPC Fortis 3 HE1425 v2
    Keyboard
    Logitech K520
    Mouse
    Logitech G700S
    Internet Speed
    50mbps/10mbps
    Browser
    Firefox, Chrome, Edge, Opera
    Antivirus
    Windows Defender
Apart from cleaning the system disks of malware and making sure removable media/ backup devices are untouched, changing passwords and logins for services used, I would also advise using the router's reset function (if possible), not just turn it off, wait 10 seconds, turn it on, but reset it to factory defaults, then change the admin password again.
I wouldn't put it past some malware to open ports and set rules for itself on any network device, maybe not resident software, but an essentially hidden direct route from an attacker to any currently/ future connected device.
In theory a router with custom admin password should prevent such changes, but for peace of mind a reset might be a good idea.
 

My Computer

System One

  • OS
    Windows 11 Pro 22H2, build: 22621.521
    Computer type
    PC/Desktop
    Manufacturer/Model
    Scan 3XS Custom 1700
    CPU
    Intel i7-12700K 3.6GHz Base (5.0GHz Turbo)
    Motherboard
    Asus ProArt Creator B660 D4
    Memory
    64GB DDR 3600Mhz
    Graphics Card(s)
    Asus Tuff RTX 3080 10GB OC
    Sound Card
    Onboard Realtek
    Monitor(s) Displays
    Gigabyte G32QC 32inch 16:9 curved @2560 x 1440p 165Hz Freesync Premium Pro/ Dell SE2422H 24inch 16:9 1920 x 1080p 75Hz Freesync
    Screen Resolution
    2560 x 1440p & 1920 x 1080p
    Hard Drives
    WD SN570 1TB NVME (Boot), Samsung 870QVO 1TB (SSD), SanDisk 3D Ultra 500Gb (SSD) x2, Seagate 3Tb Expansion Desk (Ext HDD), 2x Toshiba 1Tb P300 (Ext HDD)
    PSU
    Corsair RM1000X Modular
    Case
    Corsair 4000D Airflow Desktop
    Cooling
    Corsair Hydro H150i RGB Pro XT 360mm Liquid Cooler, 3 x 120mm fans, 1x Exhaust
    Keyboard
    Microsoft Ergonomic
    Mouse
    Logitech G402
    Internet Speed
    800Mbs
    Browser
    Edge Chromium
    Antivirus
    Defender, Malwarebytes
My computer has been infected with Ransonware. All my files have been encrypted with the file extension *.DcRat
I have reinstalled windows 11 but now need to decrypt my files
Has anyone any experience at decrypting these files?
The site below has some good information regarding malware including Dark Crystal RAT, aka DcRat. It's a good read overall.


Additionally, the article appears to claim they can remove the malware identified as DcRat.
 
Last edited:

My Computer

System One

  • OS
    Windows 11 Professional
    Computer type
    PC/Desktop
    Manufacturer/Model
    Microcenter B677
    CPU
    Intel Core i5-9400
    Motherboard
    ASRock H310CM-HDV/M.2
    Memory
    32GB
    Graphics Card(s)
    Integrated Intel UHD Graphics 630
    Sound Card
    Intel Kaby Lake - High Definition Audio / cAVS (Audio, Voice, Speech) [A0]
    Monitor(s) Displays
    LG Model: GSM59F1
    Screen Resolution
    2560x1080
    Case
    Lian Li 205M
    Antivirus
    Kaspersky AV
In theory a router with custom admin password should prevent such changes
But 95% of users never change their router password from its manufacturer default which is readily available on the web.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 23H2 22631.3296
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 7080
    CPU
    i9-10900 10 core 20 threads
    Motherboard
    DELL 0J37VM
    Memory
    32 gb
    Graphics Card(s)
    none-Intel UHD Graphics 630
    Sound Card
    Integrated Realtek
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    1tb Solidigm m.2 +256gb ssd+512 gb usb m.2 sata
    PSU
    500w
    Case
    MT
    Cooling
    Dell Premium
    Keyboard
    Logitech wired
    Mouse
    Logitech wireless
    Internet Speed
    so slow I'm too embarrassed to tell
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium
  • Operating System
    Windows 10 Pro 22H2 19045.3930
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Optiplex 9020
    CPU
    i7-4770
    Memory
    24 gb
    Monitor(s) Displays
    Benq 27
    Screen Resolution
    2560x1440
    Hard Drives
    256 gb Toshiba BG4 M.2 NVE SSB and 1 tb hdd
    PSU
    500w
    Case
    MT
    Cooling
    Dell factory
    Mouse
    Logitech wireless
    Keyboard
    Logitech wired
    Internet Speed
    still not telling
    Browser
    Firefox
    Antivirus
    Defender+MWB Premium

Latest Support Threads

Back
Top Bottom