Harma ransomware

Harma ransomware swaps Dharma family for Ouroborus

Harma ransomware

Harma ransomware

Harma is a crypto-malware that has been attacking victims for more than a year. It’s a member of the infamous Dharma family member known for locking victims’ files with AES, DES, and RSA encryption models and appending .harma suffix to each corrupted file. The file extension .harma should be preceded by a random code consisting of 6 digits and an email address, e.g. [[email protected]]. However, recently cybersecurity experts disclosed Harma ransomware reborn as a family member of an actively evolving Ouroborus ransomware gang.

Just like its ancestor, Harma Ouroborus ransomware runs a combination of encryption algorithm to lock files and appends .harma file extension as a trademark. Upon successful lockdown of personal data, the virus runs a scheduled task that creates the ReadMe.txt file on the desktop and exhibits a lock screen, which acquaints the victim with the situation.

[+] All Your Files Have Been Encrypted [+]

 [-] Do You Really Want To Restore Your Files?
 [+] Write Us To The E-Mail : [email protected]
 [+] If you did not get any response until 24 hours later,Write to this E-Mail : [email protected] 
 [-] Write Your Unique-ID In The Title Of Your Message.
 [+] Unique-ID : E49AD5DE
 [+] Personal Key:
 [+] Please send this to our email
 [+] Your Personal KEY: xxxxxxx

Harma virus developers seek Bitcoin[1] within 24 hours in exchange for the decryption key. The ransom note urges victims to email [email protected] or [email protected] for further instructions. As usually, crooks recommend victims to send 1MB file for decryption test. This way, criminals try to arouse the victim’s “trust” and push them into ransomware payment.

Unfortunately, neither Harma Ouroborus nor Harma Dharma can be decrypted. There is no .dharma decryptor yet, which is why criminals should already feel financially secure. However, it is not advisable to trust criminals and give away your hard-earned money, so reckon well pay the ransom or not. It’s best to remove Harma ransomware and try alternative data recovery tools.

Harma Ouroborus virus
Harma ransomware stems from two families, i.e. Dharma and Ouroborus

Harma Ouroborus virus
Harma ransomware stems from two families, i.e. Dharma and Ouroborus

The primary Harma (Dharma) ransomware focuses on locking all personal files as well. It targets host machine and then demands ransom payment for the decryption tool. The encryption procedure is typically performed with the help of AES, DES or RSA ciphers[2].

As soon as data is locked, victims can soon notice the [[email protected]].harma extension appended to each of the photo, music, video, database, document, and other files. Nevertheless, malware skips system and executables, as destroying the system is not hackers’ goal but rather to extort money (at least not in this case, although wiper-type[3] ransomware does exist).

After locking all personal files, Harma virus launches a ransom note – a pop-up window that displays the message from hackers. Additionally, a text file RETURN FILES.txt is also dropped, which is essentially a short version of the note. Threat actors explain that victims have to contact them via [email protected] or [email protected] email addresses and pay a ransom using Bitcoin cryptocurrency. Additionally, crooks also threaten to delete the key after seven days if no contact is established.

Name Harma
Type Ransomware
Family Dharma or Ouroborus
File extension [[email protected]].harma, .harma
Ransom note RETURN FILES.txt, ReadMe.txt
Contact [email protected], [email protected][email protected] or [email protected]
Distribution  Spam emails, web injects, fake updates, cracks, pirated software, exploits, etc.
Decryption  Only available via backups or third-party tools. No official decryptor has been created. 
Virus removal Use anti-malware software such as SpyHunter 5Combo Cleaner
Recovery To restore damaged Windows system files and registry, use Reimage Reimage Cleaner Intego

While there is no decryption tool currently available that would be able to decipher encrypted files, victims should not risk losing their money and avoid contacting criminals. After Harma ransomware removal victims can try using alternative recovery methods that involve third-party software or System Restore feature.

There are multiple ways of how Harma ransomware could have infected your computer. For example, many variants of Dharma were spread with the fake Adobe, Microsoft, and other legitimately-looking updates. However, just like any other type of malware, Harma virus can also be spread with the help of exploits, cracked software, hacked sites, spam emails, etc.

Once inside the system, Harma ransomware deletes Shadow Volume snapshots with the help of specific command launched by the virus. Additionally, it also modifies Windows registry to gain persistence and run the malicious tasks at all times.

After file encryption, Harma ransomware drops the following ransom note:



You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you:
1. Decryption program.
2. Detailed instruction for decryption.
3. And individual keys for decrypting your files.

Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

As we already mentioned, do not contact cybercriminals, as they might fail to send you the decryptor. Be aware that they locked your data by using malware – and distributing it is a criminal offense (trusting hackers is the same as trusting thieves in real life). Thus, remove Harma ransomware with anti-malware software and try alternative solutions that might help you to recover your data.

Additionally, to recover from virus damage that was done upon the infection, experts[4] recommend scanning the computer with Reimage Reimage Cleaner Intego – it can restore Windows registry and other damaged system files.

Harma ransomware virus
Harma ransomware is a type of computer virus that focuses on money extortion by locking all user files on the device

Harma ransomware virus
Harma ransomware is a type of computer virus that focuses on money extortion by locking all user files on the device

Avoid ransomware-type infections by being careful online

It is not a secret that hackers aim to exploit less careful users – and they are doing it successfully for decades now. While some malware distribution methods require no user interaction whatsoever, most infections occur with the help of social engineering. Additionally, unsafe places on the internet, such as Dark Web or sites offering software cracks are the first stops to get infected with ransomware or other threats.

Therefore, to reduce the chance of infection, make sure you follow these tips:

  • Employ robust security software
  • Enable firewall
  • Update your system regularly
  • Enable automatic update feature for all the installed programs on your PC
  • Protect your Remote Desktop connection by using a strong password
  • Avoid websites that offer cracks and keygens, along with pirated software
  • Use ad-blocker
  • Beware that spam email attachments or hyperlinks might be malicious
  • When establishing new software, pick Advanced settings in order to avoid optional applications.

Better do not try to remove Harma ransomware manually

While it is possible to remove Harma ransomware and all its components manually, it is not recommended. Ransomware is a sophisticated threat that affects different parts of the Windows operating system, and regular users will simply not know where to look to delete the malware completely.

Therefore, rather opt for automatic Harma ransomware removal. For that, you should employ an anti-malware solution that would be able to detect this particular version of Dharma. As evident, not all security applications are capable of doing so, so a scan with alternative anti-malware programs might be needed to terminate the threat altogether.

Once you delete Harma virus, you can connect your backups and restore all your files. If you didn’t have any backups prepared, use the guide below for alternative recovery methods that might be able to help you, (although chances are relatively low).

Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.

This entry was posted on 2020-04-07 at 12:57 and is filed under Ransomware, Viruses.