A ransomware virus, using the email@example.com e-mail for contact with it’s victims has been reported by infected users. The virus encrypts the files on the compromised computers after which appends the .dharma file extension along with a unique identifier to them. Whether or not it is created based on the Dharma and Greg TV series it is yet to be confirmed but the ransomware sure does remind of it. After encryption, it extorts the users of the infected computer to make a payment and recover the .dharma files which have been encrypted and can no longer be opened. In case you have become an unfortunate victim of the Dharma virus, we advise you to backup the encrypted files and read the following article to learn how to remove Dharma and try to restore your files.
|Short Description||The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.|
|Symptoms||The user may witness ransom notes and “instructions” linking to a web page and a decryptor. Changed file names and the file-extension .dharma has been used.|
See If Your System Has Been Affected by Dharma
Malware Removal Tool
|User Experience||Join our forum to Discuss Dharma.|
|Data Recovery Tool||Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Dharma Ransomware – How Does It Replicate
Users on security forums report that the malware has been infecting multiple computers on office networks, suggesting that the virus may not only be spread to home computers, but also attack organizations as well. This can be done in a number of ways:
- A “dropped” flash drive that may directly cause the infection after being inserted in one office computer.
- A worm-like features that aim to replicate the malware automatically from one system to another in a home or office network.
- Massive spam campaigns that target the office network or multiple different computers with phishing e-mails and malicious e-mail attachments added to them.
Whatever the case of Dharma ransomware may be, the virus may be spread massively and may be a variant that has come up from either an open source project or someone may have purchased it’s source code in the dark net.
The Dharma ransomware was also undetected by most conventional antivirus programs, suggesting that the virus may use a sophisticated obfuscator that allows execution without detection.
More Information about Dharma Ransomware
As soon as the user is on the malicious URL or opens a malicious attachment that is carrying the infection vector of Dharma ransomware, the ransomware is automatically executed and it begins to immediately inject commands in the legitimate Windows processes, like svchost.exe and explorer.exe. The ransomware may initially delete any shadow volume copies or other backups on the computer, running the vssadmin command in concealed mode:
After deleting all the file history, the Dharma virus may begin to add custom registry values with data in the Run and RunOnce 3Windows Registry subkeys. This data is usually configured with settings to make the malicious files of the virus run and begin encrypting:
- Audio files.
- Video files.
- Database types of files.
- Various files associated with often used programs, like VMware, Photoshop, etc.
- Microsoft Office files.
- Adobe Reader .PDF’s.
After the virus completes the encryption, during which the computer’s explorer.exe process may enter a ‘Not Responding’ state, it appends e-mail address of the cyber-criminals and the .dharma file extension to the encrypted files, which can no longer be opened. Then a unique decryption key is generated which is believed to be sent out to the command and control servers of the cyber-criminals. The encrypted files look like the picture below after the process is complete:
Remove Dharma Ransomware and Restore .Dharma Files
The conclusion for the Dharma virus is that the threat may be either developed by someone with coding skills who took an open source code or be a part of a ransomware as a service (RAAS) scheme. So far it is difficult to tell, but it may be an iteration of Shade or Globe ransomware. Whatever the case may be, we will update this article with more information if a decryptor is released. This is why we advise you to backup your files and use the instructions in this article to remove Dharma ransomware.
In order to remove the virus, we have posted below steps on how to achieve it manually, or unless you lack malware removal experience, how to do it swiftly and automatically with an anti-malware tool.
After the removal of Dharma, we also advise you to focus on trying the alternative techniques in step “2. Restore files encrypted by Dharma” below. They are a good temporary solution that may just work if you are lucky, but they have not been tested on Dharma yet, this is why you should back up the encrypted files, before beginning.
Manually delete Dharma from your computer
Note! Substantial notification about the Dharma threat: Manual removal of Dharma requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.