Hey you,
BE IN THE KNOW!

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:


New Dharma v2 Ransomware – Remove and Restore [lavandos@dr.com] Files

dharma-v2-ransomware-sensorstechforum-ransom-noteA ransomware virus, carrying the name Dharma which means righteousness in Indian, has been released in a new variant. The second version of the virus is reported to be even more dangerous than it’s first iteration, encrypting files in a very cunning way enough to render them no longer openable and adding the lavandos@dr.com file extension. The v2 Dharma is also more focused on encrypting PE types of files as well. Since the new Dharma gives a deadline of 72 hours, users are often advised not to pay any ransom in BitCoin requested by the crooks at lavandos@dr.com. Instead, we recommend reading this article to get familiar with the second version of Dharma ransomware and learn alternative ways to remove the virus files and restore your data.

Threat Summary

Name

Dharma

Type Ransomware
Short Description Dharma encrypts user files and leaves as contact e-mail addresses to contact the criminals behind it and pay the ransom fee.
Symptoms Changes file extension of encrypted files to [lavandos@dr.com]. Changes wallpaper to one with ransom instructions that have the backup ransom e-mail – lavandos@india.com.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Dharma

Download

Malware Removal Tool

User Experience Join our forum to Discuss Dharma.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Dharma Ransomware – How Did I Get Infected

This particular type of ransomware virus is very cunning in it’s methods of spreading, primarily because it uses heavy obfuscation for the infection malware. Proof of this is the fact that during the first detections, VirusTotal reports that only 7 of 56 Antivirus programs have managed to detect it:

new-dharma-ransomware-infection-files-sensorstechforum

This means that the cyber-criminals have most likely utilized a combination of different tools to conceal the malicious file of Dharma on entering the computer. Such tools may be file joiners to combine the files, distribution malware, like a Trojan.Dropper and an exploit kit. But bear in mind that JavaScript may also be used in an attack conducted by Dharma ransomware as well.

The most conventional methods of distributing such malicious files/scrips are either via malicious web links or files. Therefore, the malicious files exhibited with Dharma ransomware may be slithered in every way possible into your computer which supports those two objects. One method may be the sending of fake phishing e-mails which contain a malicious attachment causing the infection or a URL, while other more unconventional methods may involve torrents, social media and even chat services.

More about Dharma Ransomware

The Dharma virus is very particular in what it does after an infection takes place. Initially, it may make sure that it shuts down all of the processes related to any security software or Windows defense that may stop the encryption from happening. This includes injection scripts in important Windows processes, like sysdm.cpl or svchost.exe. Then the new Dharma ransomware may delete any backups on the encrypted computer, such as backups related to shadow volume copies, if file history is enabled on the compromised computer.

But Dharma ransomware may also have other defensive features as well. One of those features may be to shut down or self-delete if the virus is run in a virtual environment.

To encrypt user files, Dharma ransomware is going to look for files that are often opened and used, like documents, databases, pictures, videos, music and other types of files. Then it may append either RSA or AES or a combination of both of those or other weaker ciphers to render encrypted files no longer able to be opened. The virus also adds it’s distinctive e-mail as a file extension to the encrypted files:

dharma-v2-ransomware-sensorstechforum-ransom-note

dharma-v2-ransomware-encrypted-file-sensorstechforum

After the encryption is complete, the virus changes the wallpaper of the encrypted computer, which allows Dharma to notify the user to contact the e-mail of the cyber-criminals for further instructions/negotiations. The ransom note on the wallpaper has the following instructive message, calling the user a friend:

→ “//hallo, our dear friend!
//looks like you have some troubles with your security.
//all your files are now encrypted.
//using third-party recovering software will corrupt your data.
//you have only one way to get them back safely – using our decryption tool.
//to get original decryption tool contact us with email. In subject like write your ID, which you can find in name of every crypted file, also attach to email 3 crypted files.
lavandos@dr.com
//it is in your interest to respond as soon as pissible to ensure the restoration of your files, because we won’t keep your decryption keys at our servers more than 72 hours in interest of our security.
//P.S. only in case you don’t receive a response from the first email address within 24 hours, please use this alternative email address.
lavandos@india.com”

Even though the ransom note in the wallpaper set by Dharma is “motivating”, experts advise users not to give in to the fear and not discuss anything with the crooks. Instead, it is recommended to remove Dharma and focus on restoring your files using alternative methods.

Remove Dharma Ransomware and Restore Enciphered Files

To delete Dharma completely and effectively, you may want to follow the universal removal instructions for ransomware below. However, if you believe that Dharma ransomware’s removal is difficult to perform manually, experts recommend that the best way to perform the removal is by downloading and installing an advanced anti-malware scanner on the compromised computer to perform the removal automatically.

Whatever the case may be, after the removal of the new Dharma virus, we suggest that you focus on backing up the files that have been encrypted for when a decryptor is released. Not only this, but we also advise that you try some alternative methods to restore the files, like the ones we mentioned in step “2. Restore Files Encrypted by Dharma” below. They have not yet been tested on Dharma, and this is why we advise that you create copies of the encrypted files if you attempt them.

Manually delete Dharma from your computer

Note! Substantial notification about the Dharma threat: Manual removal of Dharma requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Dharma files and objects
2.Find malicious files created by Dharma on your PC

Automatically remove Dharma by downloading an advanced anti-malware program

1. Remove Dharma with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Dharma
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.