Dharma ransomware virus

Dharma is the ransomware virus that is using security software installation as a distraction to hide malicious activities

Dharma ransomware virus
Dharma ransomware virus was discovered in 2016. It keeps updating in 2019. The latest file extensions .gif .AUF, .USA, .xwx, .best, and .heets.

Dharma ransomware virus
Dharma ransomware virus was discovered in 2016. It keeps updating in 2019. The latest file extensions .gif .AUF, .USA, .xwx, .best, and .heets.

Dharma is a crypto-virus that first struck the world in 2016, and has been reappearing with new versions regularly during the recent years. In the first quarter of 2019, the virus came back with a handful of new versions. The most prevalent variants are using the following extension: .bip, .adobe, .cezar, .combo, .java, .ETH. The malware is still using the AES encryption algorithm to encrypt data and then displaying ransom notes called either Info.hta or FILES ENCRYPTED.txt.

Although the newer samples of this cryptovirus show it is distributed via spam email, these messages deliver different files in the particular campaigns. Researchers revealed new information that malicious actors use downloading links, and when the user clicks on such hyperlink, the password listed in the email itself can be used to get the particular file.

The self-extracting defender.exe file gets installed and drops a malicious file on the system. It appears to be an old version of ESET AV Remover and connects with this Dharma ransomware. This process of the AV tool installation hides other processes like payload dropping and file encryption. Nevertheless, the cryptovirus can still get run even when the AV tool installation is not initiated, and this AV tool can get installed without malicious processes.

These documents are asking to contact developers via provided email address and pay for the decryption service. As long as the Dharma ransomware virus keeps presenting new file extensions, be careful with unknown emails from suspicious senders since the virus still relies on spam when spreading around. Small businesses and bigger organizations should also be cautious – at the end of March 2019, the malware hit a system of the parking lot in Canada.[1] Previously, Dharma ransomware infected Texas hospital[2] and some other organizations.

Name Dharma virus
Type Ransomware
Danger level High. Makes system changes and encrypts files
Release date 2016
OS affected Windows
Appended file extensions .java, .cesar, .cezar, .wallet, .zzzzz, .dharma, .arrow, .write, .onion, .arrow, .bip, .combo; .brrr; .gamma; .bkp, .like, .gdb, .xxxxx, .AUF, .USA, .xwx, .best, .heets, .adobe, .btc, .qwex, .eth, .air, .888, .amber, .frend, .KARLS, .aqva, .aye, .korea, .plomb, .NWA, .azero, .bk66, .stun, .monro, .funny, .vanss, .betta, .waifu, .bgtx, .adobe, .tron
Ransom note Info.hta and FILES ENCRYPTED.txt
Contact email address
Distribution Infected email attachments
Data recovery Some versions of the virus can be decrypted with a free RakhniDecryptor
To get rid of Dharma virus, use SpyHunter 5Combo Cleaner. If you are dealing with system errors, install Reimage Reimage Cleaner and run a full system scan. If will fix altered system components, e.g. corrupted system files and registry entries

During the first months of functioning, Dharma ransomware was spreading as an alternative for Crysis ransomware. However, now these viruses are considered to be of a different kind as the most of traits do not match. The ransomware caught attention back in November 2016[3] and was compared with Locky virus.[4] Dharma (.cezar family) and some other versions (Adobe ransomware, Combo ransomware, Java ransomware, Bip ransomware) have proven that the virus is ready for anything.

Since 2016, researchers have revealed more than twenty different Dharma ransomware versions, all of which share many similar features and the main difference is the file extension appended. As time passed, experts have been updating the decryption tool which was launched soon after the first appearance of the virus.[5] However, it seems that victims are not capable of decrypting files encrypted by the latest versions. 

Even though this crypto-malware has been silent for several months now, it seems to be back with several new versions in 2019, including .USA, .xwx, .best .NWA, .ETH, and .com file extensions. If you think that you are infected, don’t waste your time because the more time you give to the virus, the more files it can encrypt. Make sure you disconnect your computer from the Internet and scan it with an anti-virus software. Additionally, try Dharma ransomware decryptor (called RakhniDecryptor tool).

Dharma Cezar ransomware
Dharma ransomware – a cryptovirus which has numerous variants that have been actively infecting users behind their back.

Dharma Cezar ransomware
Dharma ransomware – a cryptovirus which has numerous variants that have been actively infecting users behind their back.

On the day of its appearance, security experts didn’t know much about Dharma in general and believed it to be one of the new-generation viruses.[6] It seems that the virus developers were trying to keep it as obscure as possible and didn’t follow the typical patterns other ransomware creators do.

For instance, the virus did not drop ransom notes or any other additional documents that would let you know about the virus hiding in the system. Also, on the day of virus discovery, November 2016, antivirus utilities did not seem to detect its malicious components, which complicated Dharma ransomware removal significantly. If you think that you are dealing with virus damage caused by this malware, use Reimage Reimage Cleaner to double-check the system.

Virus functionality is used to infect home users and organizations worldwide

At the moment, the most widespread Dharma ransomware version is known to use .eth, .bip, .cezar and .cesar file extensions. Before that, the virus uses the AES encryption algorithm[7] to make files useless and also deletes shadow volume copies of the target files. Having in mind that the malware has already infected medical organizations and huge companies, encrypted data can be vital and its recovery can be related to saved lives.

In fact, there are NUMEROUS versions hailing from the infamous virus family. Not all of them are actively spreading around the globe, but there is no information that any of the following variants is inactive:

  • .cesar
  • .cesar
  • .onion
  • .dharma 
  • .wallet
  • .zzzzz
  • .arena
  • .cezar
  • .java
  • .write
  • .bip
  • .arrow
  • .combo
  • .brrr
  • .gamma
  • .bkp
  • .like
  • .gdb
  • .xxxxx
  • .AUF
  • .USA
  • .xwx
  • .best
  • .heets
  • .adobe
  • .qwex
  • .btc
  • .ETH
  • .air
  • .888
  • .amber
  • .frend
  • .KARLS
  • .aqva
  • .aye
  • .korea
  • .plomb
  • .nwa
  • .xxxxx
  • .funny
  • .monro
  • .vanss
  • .azero
  • .bk66
  • .stun
  • .com
  • .etc.

Once the malware encrypts the victim’s files, it drops the brief ransom note on the infected computer, such as this one. As we have already mentioned, the Dharma ransomware virus failed to do that at the beginning of its distribution.

At the moment, your system is not protected.
We can fix it and restore files.
To restore the system write to this address:
[email protected]

Victims have also reported about seeing this ransom note: 

hallo, our dear friend!
looks like you have some troubles with your security
all your files are now encrypted
using third-party recovering software will corrupt your data
you have only one way to get them back safety – using our decryption tool
to get original decryption tool contact us with email is subject like write your ID which your can find
in name of every encrypted file, also attach to email 3 crypted files.
[email protected]
It is your interest to respond as soon as possible to ensure the restoration of your files because we won’t keep your decryption keys at our servers more than 72 hours in interest of our security
PS. only in case you don’t receive a response from the first email address within 24 hours, please use this alternative email address [email protected]

As you can see, users are asked to contact the criminals via an email address provided in the note and inquire about the ransom needed to recover the affected files. Apart from the email, you will also see .dharma file extension or similar appendix pinned at the very end of the string. For instance, if your file is labeled as picture.jpg, the affected version of the file will be picture.jpg[email_address].dharma or picture.jpg[[email protected]].bip.

The email address depends on the Dharma ransomware version, so you can be asked to use [email protected], [email protected], [email protected] (this virus drops worm.exe file on the system), [email protected][email protected], or another @india.com, [email protected], [email protected] email address.

However, we strongly suggest not to do that. You have absolutely no way of knowing what to expect from this bunch of extortionists and how contacting them might end. It is more reasonable to remove Dharma ransomware and use free decryptor by Kaspersky. If you continue using your machine with ransomware running on the system, you can put yourself at risk of finding more encrypted data after rebooting the system.

Important information. Speaking of data recovery methods, you can restore your files encrypted by Dharma. However, not all versions of the virus have been included in the decryptor’s database. Nevertheless, try Rakhni decryptor or ESET Crysis Decryptor to see how it helps. Besides, according to one of the 2-Spyware visitors, he restored his data by using 7-Zip program as a Dharma ransomware decrypt tool. For more information, see the data recovery methods described below the article.

Dharma ransomware
Dharma ransomware is a dangerous file-encrypting virus which has numerous versions using different file extensions after encryption.

Dharma ransomware
Dharma ransomware is a dangerous file-encrypting virus which has numerous versions using different file extensions after encryption.

Dharma ransomware versions actively spreading around the globe

[email protected] ransomware

[email protected] ransomware was released as an updated version of Dharma ransomware which was named according to the file extension it uses. Just like any other dangerous ransomware-type infection,[8] it aims to encrypt important files on the targeted computer to gain illegal profits. The easiest way to recognize the ransomware is to check the file extension — documents encoded by this version are appended with [[email protected]].dharma extension. It consists of two sections: an actual extension and the email address. 

An indication of the email is an attempt to urge you to contact the crooks for the decryption tool. However, if you reach them out via [email protected], there is a high risk that they will make you pay without giving the decryption key. Thus, we do not recommend following the rules of the attackers. Luckily, you can restore your files using Dharma Decrypter. 

Zzzzz ransomware

Zzzzz ransomware is one of the versions sharing identical extensions with the infamous Locky virus. It is not clear whether virus developers took Locky’s idea or they decided to use the same extensions to indicate encrypted files is a sheer coincidence. Despite the odds, these viruses are not related and are based on different codes. Nevertheless, this does not make zzzzz files virus any less dangerous than the nasty Locky virus.

The virus is still encrypting files and making them inaccessible. The reason for doing that – making the user pay the ransom payment for the access key. You may use Dharma ransomware decryptor to attempt zzzzz file recovery, but the most important thing is that you remove the virus from your computer to prevent further damage.

Wallet ransomware

Wallet ransomware is appending .wallet file extension to the encrypted files. Ransomware victims are also urged to contact criminals via the given email address [email protected] and these are the only specific details upfront. The virus makes sure the victims are acquainted with the data recovery conditions by replacing the infected computer’s desktop with an image of a ransom note.

Besides, extortionists set a 72-hour limit to pay the ransom and claim that, if victims fail to pay in time, the decryption key will be destroyed and they will lose access to their files forever. Of course, there are always alternatives and you don’t have to succumb to the criminals’ demands. Just scroll down to the end of this article and check our data recovery options for Dharma ransomware virus.

Onion file virus

.onion file virus was spotted in April 2017. The virus has been spreading via malicious email attachments. Once the victim clicks on an infected attachment, malware sneaks inside the system. On the affected device, ransomware starts a system scan and looks for the targeted file types. For data encryption, it has been using a sophisticated algorithm that prevents users from accessing their files.

Ransomware appends the .onion file extension to the encoded documents, PDFs, video, audio, image files, databases, and other popular file types. Nevertheless, the authors of Dharma ransomware virus claim that purchasing decryption software from them is the only option to get back access to your data. However, you should not rely on their words. After the attack, you should focus on malware removal and later look for data recovery possibilities.

Cezar ransomware

Cezar ransomware emerged in the middle of August 2017. It is also known as Cesar ransomware due to a slightly different extension appended to the target data, respectively .cezar or .cesar. The virus suggests writing to [email protected] for instructions on how to recover encrypted files, so it works as a typical Dharma ransomware version.

The aim of the virus is to force the victim to get in touch with cybercriminals and start negotiations regarding data recovery. The criminals will ask you to pay an enormous ransom in Bitcoins and promise you to provide a Dharma decryption key afterward. Unfortunately, criminals cannot be trusted, so we do not recommend you to put too much effort into trying to make them restore your files. Chances are, they might never will.

Combo ransomware

Combo ransomware was discovered only days after the discovery of other threats. This one is different from others because it uses the same email used by the previously known ransomware – Bip. File extensions are called [[email protected]].combo or .[[email protected]].combo which also include email addresses that are provided for letting victims know how to reach Dharma virus developers.

The email appears in typical ransom notes Info.hta and FILES ENCRYPTED.txt. However, as we always note, contacting criminals via [email protected] or [email protected] is not recommended since it may lead to permanent data loss or infiltration of more severe malware.

Arena ransomware

Arena ransomware is yet another addition to Dharma malware family. The virus was spotted by a security researcher Michael Gillespie on August 23rd, 2017. The new ransomware variants appends traditional extension – .id-[ID].[criminal’s email address].arena. The virus then outputs some text in a FILES ENCRYPTED.txt file (known as ransom note).

Dharma Arena ransomware

Dharma Arena ransomware

This version of Dharma ransomware virus has been suggesting contacting the criminals via [email protected] email address, leaving no hints about the price of the decryption key. Unfortunately, currently, the only tool that could help you restore your files is a data backup. Remove Arena ransomware before trying to plug it into your computer, otherwise, the virus will encrypt files stored on it.

Java ransomware virus

.Java files virus was spreading around the Internet via spam using the subject line “The Request Invoice.” Security experts have been reporting about several new versions attaching these extensions: 

It is believed that there are more than three versions of this Java ransomware spreading on the Internet, so be careful while searching the web and ignore the following message:

Here is the Invoice you requested. Please make sure to print it, sign it and scan it to send it back to us.
Best Regards,
Tim Brooks
Sales Department

This Dharma ransomware version also inflicts quite significant damage to the system. It disables system recovery and deletes shadow volume copies. Though it greatly reduces the number of alternative data recovery options, it is recommended to remove Java virus immediately.

Dharma Java ransomware
Dharma Java ransomware is one of the most aggressive examples of the cryptovirus.

Dharma Java ransomware
Dharma Java ransomware is one of the most aggressive examples of the cryptovirus.

Write ransomware virus

.write file extension virus came out after several months of silence. Even though there are not many changes overall, they have switched to using different file extension and contact email address for identity protection. The upgraded variant is appending .write or [[email protected]].write file extension after encrypting important data which is stored on the targeted system. 

Once the victims receive the ransom-demanding message, they are urged to contact the criminals via [email protected] email address. However, have in mind that criminals will try to persuade you to make the transaction while you have no guarantees of getting Dharma decryptor.

It is important to know that .write file extension virus is currently undecryptable. Although, it doesn’t mean that the only way to get back access to your file is to pay the ransom. There are ways how you can recover data without obeying the demands of the crooks. For that, we recommend checking the decryption steps at the end of this article.

Arrow ransomware

.arrow file extension virus was detected at the beginning of March 2018. Virus analysis points out to .cezar version to be its substruction. Although it’s not clear the sum of the ransom demanded, it’s clear that extortionists can be contacted via [email protected], [email protected] or [email protected] emails. Consequently, it might be referred to as .id-.[].arrow file extension virus and is a clear example that the developers of Crysis/Dharma ransomware are not going to stop.

Bip ransomware

Bip ransomware came out in the middle of March 2018. Alternatively, it has been known as [[email protected]].bip file extension. To make data decryption nearly impossible, the virus has been deleting shadow volume copies and then displaying a ransom note on the victim’s computer desktop. The encoded files can only be recovered with the help of extra copies of encrypted files (backups) or RakhniDecryptor tool which was developed by Kaspersky. 

Dharma Bip ransomware virus
Dharma ransomware is using AES encryption algorithm to lock target files and make them useless.

Dharma Bip ransomware virus
Dharma ransomware is using AES encryption algorithm to lock target files and make them useless.

Following the encryption procedure, .bip files virus, in fact, drops two ransom notes in Info.hta and FILES ENCRYPTED.txt where victims of ransomware are asked to send an email to [email protected] to get data recovery instructions. It’s unknown how much money Dharma virus developers are asking to pay; however, it’s still not worth paying them. We recommend focusing on Bip removal instead.

[email protected] virus

.java2018@tuta io.arrow file extension virus emerged at the end of May 2018. It uses .[email].arrow file extension to the appended files. Immediately after the encryption, ransomware downloads a ransom note where victims are asked to contact crooks immediately. The faster they write, the less they need to pay, according to the ransom note.

Crooks behind this Dharma virus version are using two contact email addresses [email protected] or [email protected]. However, it’s not recommended to discuss data recovery possibilities with developers of ransomware. This may not lead to any good. They will ask to pay the ransom, but there are no guarantees that they will let you decrypt files. Hence, it’s better to eliminate ransomware from the system.

Brr ransomware

On the second week of September 2018, Brrr ransomware came to light. Files encrypted with .[[email protected]].brrr pattern and same two ransom note files as most of the previous versions. Ransom note contains [email protected] contact email and an offer to decrypt one file that is smaller than 1Mb. This move is definitely for manipulation and you shouldn’t fall for this trick.

Gamma ransomware

Gamma ransomware was detected at the end of 2018 as yet another new version in Dharma/Crysis family. The virus has been relying on a similar pattern as other versions of this family: the virus fails to reveal a certain ransom amount, and actively offers to test the decryption for free. Other features of the Gamma version:

  • The malware is using .id-%ID%.[[email protected]].gamma file extension;
  • Ransomware drops a ransom note in files Info.hta and FILES ENCRYPTED.txt;
  • The contact email that was given to the victim: [email protected].

Bkp ransomware

In September 2018, Dharma ransomware owners presented yet another version of this malware called Bkp ransomware. As you can guess, files are marked with .bkp file extension and cannot be opened or used. This variant, similarly to other ones, has been delivering the same files for ransom notes with the names Info.hta and FILES ENCRYPTED.txt The contact email provided to the victim is [email protected], but it can be changed over the time. At the time of writing, there are about 10 known victims affected by this particular version which also remains not decryptable.

Boost ransomware

Boost ransomware came out only a month after the previous versions we spotted on the Internet. This time, a virus is encrypting data by using the AES algorithm and marking those files using a specific pattern – .[[email protected]].boost. As usual for this ransomware family, FILES ENCRYPTED.txt file with the ransom message gets delivered to folders that contain encoded documents, photos, and other files.

Waifu ransomware

Yet another version from Dharma family that was discovered in October 2018 –  Waifu ransomware. The malware encodes user’s files and marks them with an appendix that ends with .waifu. Also, contact email [email protected] included in this file marker. 

Dharma ransomware developers are the ones who have been releasing new versions constantly. As a result, they haven’t been changing these viruses much, so it is obvious why this variant is not very different than previously discovered. 

BTC ransomware

BTC ransomware came out in October 2018, but this one has more features than other variants. First, the virus has been dropping BTC_DECRYPT_FILES.txt or IDR__BTC_DECRYPT_FILES.txt files as ransom notes that get delivered to the victim’s screen right after the file-locking procedure is finished.

The encrypted data can be recovered by buying a Dharma decryptor which costs from 0.5 BTC to 1.5 Bitcoin. Since experts have already spotted several samples of this malware, it is normal that they have noticed several contact emails offered to use for contacting cybercriminals behind the virus: [email protected][email protected]; [email protected]; [email protected].

FUNNY ransomware

FUNNY ransomware came out at the end of October 2018 as well. This time, only the program window named as the contact email appears on the screen after encryption. The information stated on the window include instructions on how to buy Bitcoins and pay the demanded ransom.

When you write WildMouse@cock. or [email protected] and ask for the opportunity to decrypt files, the ransom amount should be revealed. It possibly differs from victim to victim, based on the number of files or the valuable information ransomware possibly accessed. 

Xxxxx virus

The year of 2018 was a busy year for the Dharma ransomware developers. Xxxxx ransomware was only one of many versions that got released this year. However, this version was the last discovered in October 2018. Not many new information got revealed with this version since it also not changed and resembles other 20+ variants.

Only features that make it different from previous Dharma versions:

Audit ransomware

Audit files virus appeared in November 2018 which came out after infecting several victims out of nowhere. It seems that crooks are still giving 24 hours for victims to reach them via contact email [email protected]. This information alongside the victims’ ID and places where you can buy cryptocurrency is delivered with the program window named with the particular contact email.

Tron ransomware

Tron ransomware is a slightly new version of Dharma family that was brought at the end of 2018. One of the distinct features belonging to this version of Dharma ransomware is the particular 0.05 BTC ransom amount. The sample that was analyzed revealed this information, but the amount still can differ from victim to victim. However, remember to avoid contacting these criminals and ignore the message with these emails [email protected][email protected] and follow up with virus removal.

Adobe ransomware

Adobe ransomware is a unique version that came out in November and December 2018. The virus developers have launched several different attacks leading victims to the loss of their files. The affected data is marked with the .adobe file extension, which has also been used by Djvu ransomware.

Possible contact emails used by this particular Dharma version:

Santa ransomware virus

Santa ransomware was released in December 2018. Not much changed as it supposed to be when dealing with this virus family. However, the ransom note that comes in a text file named FILES ENCRYPTED.txt reveals the contact email for the developers – [email protected]. A full file marker also includes this email. When documents or photos get encoded, .id-XXXXXXXX.[[email protected]].santa shows up at the end of the original name.

Wallet ransomware

Wallet ransomware was the first example spotted in 2019. This malware is using a mixture of AES and RSA encryption algorithms to encrypt data and make it unavailable for use. Files are marked with either .wallet or .wallet.lock appendixes. The ransom note is typical to Dharma ransomware and reveals that the amount of ransom equals from $500 to $1500 worth of cryptocurrency.

Heets ransomware

Heets ransomware showed up in January 2019. When the ransomware attack starts and files get locked, their names are changed to .id-[[email protected]].heets file marker. This way, the victim is informed that he or she is in huge trouble and needs to buy the Dharma decryptor. However, you should always think about whether it is worth spending almost $1000 on the affected data.

The full list of instructions is placed in an HTML window that appears on the desktop and shows possible steps and emails for contacting virus developers – [email protected][email protected] – that should be used to reach out cybercriminals.

Qwex ransomware

Qwex ransomware was reported by Jakub Kroustek The malware injects various files on the system besides FILES ENCRYPTED.txt ransom note or executable. This virus can change startup entries and add a program that disables the security features of the PC. To avoid any interaction with [email protected] and [email protected].

ETH ransomware

ETH ransomware has been affecting computer systems since the beginning of 2019. Our site has also encountered a few users who got victimized by this variant which is adding .ID-[random].[[email protected]].eth to encrypted files that get encoded and became useless as their code was completely scrambled. The ransom note stays the same and is called FILES ENCRYPTED.txt. 

Unfortunately, ETH ransomware, just like numerous Dharma versions, is not decryptable. However, do not follow tips given in the ransom note and use [email protected] email address to contact virus developers. You need to avoid contacting people behind the malware and get rid of all the related programs with the anti-malware program since many of them can detect this virus.

Dharma ransomware recently active in Spring 2019
Many versions in this family came out in March 2019.

Dharma ransomware recently active in Spring 2019
Many versions in this family came out in March 2019.

888 ransomware

888 ransomware is one of numerous Dharma variants that is using the name of the USA president in the contact email given to virus victims and mark their encrypted files. If you happen to find .[[email protected]].888 added to your files, it indicates that your files got encrypted and that you won’t be able to use them anymore.

There is also a specific amount of ransom given to virus victims – this version is demanding $500 – $1500 in Bitcoin from its victims for files’ recovery. Please, do not for their promises as people you are dealing with are hackers! 

Frend ransomware

Frend ransomware appeared in February 2019. When the infection gets into the system, it modifies the entire system with the help of AES or DES ciphers. Additionally, files receive the .frend file extension which changes files’ names completely. Additionally, the virus saves FILES ENCRYPTED.txt text file on the computer’s desktop that explains for the victims a need to contact hackers via [email protected] or [email protected] email addresses. Please, ignore this request and use third-party tools to recover encrypted files.

KARLS ransomware

KARLS ransomware is another virus that was released a few days after previous versions, at the beginning of 2019. This particular threat employs the AES-256 algorithm for the file-locking process and makes data useless to have the reason for money extortion. When data gets .id-[random][email protected] file marker, it can be recovered with the official Dharma ransomware virus decryption tool. However, you need to have a virus-free device before you start these procedures.

AYE ransomware virus

AYE ransomware came out in February 2019 as one of the numerous variants of the Crysis/Dharma ransomware family. The virus acts identically and drops a ransom message called FILES ENCRYPTED.txt right after encrypting files. The message reveals only the contact email and confirms the fact that the system got encrypted and can’t be used anymore. Beware that this malware can disable some functions of your machine, so reboot the machine in Safe Mode before scanning it with an antivirus program. Additionally, start files’ recovery.

NWA ransomware

The month of March 2019 was not the exception for Dharma activity. Slightly fewer variants than in previous months came out but cybercriminals still became active. NWA ransomware came out with a lengthy file extension ([filename].[original extension].id-[user ID].[[email protected]].NWA) that makes the user notice which files were encoded. The email address to discuss files’ recovery is [email protected].

Unfortunately, ransomware can also alter other files on the system and change preferences of the programs running at the startup. It can also add the executable, called explorer.exe, with additional processes, and disables security programs to make the elimination more difficult.

Korea ransomware

Korea ransomware employs the typical symmetrical AES encryption algorithm and makes users’ data useless. All this effort for the purpose of crypto-extortion because users want to get their files back. 

Like most of the other versions, it adds a file extension to files that got affected in a pattern – .[[email protected]].korea. Discovered almost at the same time as other variants hailing from the Dharma ransomware virus family, this threat automatically launches the HTML window with payment instructions. Additionally, it reveals places where you can buy Bitcoins which is the preferred cryptocurrency for ransomware threats.

Stun ransomware

Stun ransomware showed up just after April fools 2019. This Dharma version was discovered out of nowhere and was analyzed thanks to the samples provided by affected users. Investigations have revealed that this particular ransomware wipes some files and installs programs to various folders of the system.

Ransomware developers have also made additional changes that become clear if you compare two different viruses hailing from the same family. Files, typically marked with .id.[[email protected]].stun extension, are not the only ones affected by this cryptovirus. For this reason, you need to get a reputable anti-malware program and scan the system fully.

Suspicious email attachments – the main way to distribute ransomware executable

Just like many other ransomware-type viruses, this one takes advantage of naive computer users and employ phishing[10] techniques to infect the targeted systems. One of the most popular ways is malspam campaigns which trick gullible people to open malicious attachments with the payload of the Dharma ransomware. Despite the information about precautionary measures which help inexperienced computer users protect their systems, many people continue to fall for the same tricks of the attackers.

Dharma cryptovirus
Dharma cryptovirus has mostly been spreading around with the help of spam.

Dharma cryptovirus
Dharma cryptovirus has mostly been spreading around with the help of spam.

LesVirus.fr[11] team has prepared tips to avoid ransomware infiltration. We kindly ask you to do the following if you want to protect your computer:

  • If you, yourself, receive an email from some unknown sender, company or institution, carefully investigate it.
  • Think about whether you expected such an email in the first place if you have no idea why it has reached your email – it might be that you are being targeted by extortionists.
  • In such a case, you should stay away from any attachments that might be added to the email and delete it immediately. Otherwise, Dharma can sneak in its malicious payload with some fake plane ticket, speeding ticket or any other documents that might look convincing enough to be taken for granted.

Particular AV tool installation hides malicious payload dropping and encrypting processes

The more recent campaigns in 2019 revealed more information about the particular Dharma ransomware distribution method. It still involves spam emails and attached files, but it revolves around the installation of a specific AV tool. During this process, cryptovirus can hide its encryption and infiltration activities.

The email itself that delivers such a file states about the needed malware elimination or risks on your machine. The system possibly can get damaged if you don’t download the program provided in the notification. Of course, the sender poses as Microsoft and claims to be the legitimate support team member.

Unfortunately, when the button DOWNLOAD gets clicked, the password provided in the email is required. Once all those steps are done, the program gets loaded on the system via executable files Defender_nt32_enu.exe or Defender.exe. The old version of ESET AV Remover gets loaded, and during the installation process that needs users’ involvement, Dharma distracts the victim from its ransomware activities.

The installation of this security tool and Dharma encryption are not related, and the encryption still happens even when the installation is not executed. The security software installation is included to trick people into thinking that there is nothing malicious happening when the system slowdowns during the download.

Dharma ransomware distribution involves AV tool
AV tool installation hides the malicious encryption process of the Dharma cryptovirus.

Dharma ransomware distribution involves AV tool
AV tool installation hides the malicious encryption process of the Dharma cryptovirus.

Removal instructions for Dharma ransomware

It is evident that ransomware-type threats are highly dangerous and tricky. Likewise, people can either get help from an IT specialist or employ a professional Dharma removal software. Note that such cyber infections have numerous components and are able to hide them or disguise them as legitimate system processes.

That is why you cannot remove Dharma ransomware directly and need to complete a few extra steps first before you run the system scan. We have presented these steps down below. Feel free to use them and don’t forget to scan your system automatically afterward! We suggest using one of these tools: SpyHunter 5Combo Cleaner or MalwarebytesReimage Reimage Cleaner is great if any virus damage has been made.

Bonus: video clip for help on the Dharma virus elimination process

Since Dharma ransomware has been a widely-distributed cyber threat, we decided to create more accurate removal instructions for this threat with graphical elements. Our goal is to help users to clean, optimize, and refresh their computer systems after secret infiltration of dangerous malware. If you also are a victim of this notorious file-encrypting cyber threat, take a look at this below-provided video clip and receive a clearer view on the malware elimination process:

Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

This entry was posted on 2020-02-18 at 08:23 and is filed under Ransomware, Viruses.