Hey you,

35,000 ransomware infections per month and you still believe you are protected?

Sign up to receive:

  • alerts
  • news
  • free how-to-remove guides

of the newest online threats - directly to your inbox:

Remove Dharma Ransomware and Restore .dharma Encrypted Files

dharma-ransomware-main-dharma-parody-sensorstechforum-funnyA ransomware virus, using the bitcoin143@india.com e-mail for contact with it’s victims has been reported by infected users. The virus encrypts the files on the compromised computers after which appends the .dharma file extension along with a unique identifier to them. Whether or not it is created based on the Dharma and Greg TV series it is yet to be confirmed but the ransomware sure does remind of it. After encryption, it extorts the users of the infected computer to make a payment and recover the .dharma files which have been encrypted and can no longer be opened. In case you have become an unfortunate victim of the Dharma virus, we advise you to backup the encrypted files and read the following article to learn how to remove Dharma and try to restore your files.

Update! Malware researchers have discovered that Dharma ransomware is a part of the CrySiS ransomware family. Decryption instructions for the CrySiS variants can be found on this web link.

Threat Summary



Type Ransomware
Short Description The malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
Symptoms The user may witness ransom notes and “instructions” linking to a web page and a decryptor. Changed file names and the file-extension .dharma has been used.
Distribution Method Via an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Dharma


Malware Removal Tool

User Experience Join our forum to Discuss Dharma.
Data Recovery Tool Data Recovery Pro by ParetoLogic Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Dharma Ransomware – How Does It Replicate

Users on security forums report that the malware has been infecting multiple computers on office networks, suggesting that the virus may not only be spread to home computers, but also attack organizations as well. This can be done in a number of ways:

  • A “dropped” flash drive that may directly cause the infection after being inserted in one office computer.
  • A worm-like features that aim to replicate the malware automatically from one system to another in a home or office network.
  • Massive spam campaigns that target the office network or multiple different computers with phishing e-mails and malicious e-mail attachments added to them.

Whatever the case of Dharma ransomware may be, the virus may be spread massively and may be a variant that has come up from either an open source project or someone may have purchased it’s source code in the dark net.

The Dharma ransomware was also undetected by most conventional antivirus programs, suggesting that the virus may use a sophisticated obfuscator that allows execution without detection.

More Information about Dharma Ransomware

As soon as the user is on the malicious URL or opens a malicious attachment that is carrying the infection vector of Dharma ransomware, the ransomware is automatically executed and it begins to immediately inject commands in the legitimate Windows processes, like svchost.exe and explorer.exe. The ransomware may initially delete any shadow volume copies or other backups on the computer, running the vssadmin command in concealed mode:


After deleting all the file history, the Dharma virus may begin to add custom registry values with data in the Run and RunOnce 3Windows Registry subkeys. This data is usually configured with settings to make the malicious files of the virus run and begin encrypting:

  • Documents.
  • Pictures.
  • Audio files.
  • Video files.
  • Database types of files.
  • Various files associated with often used programs, like VMware, Photoshop, etc.
  • Microsoft Office files.
  • Adobe Reader .PDF’s.

After the virus completes the encryption, during which the computer’s explorer.exe process may enter a ‘Not Responding’ state, it appends e-mail address of the cyber-criminals and the .dharma file extension to the encrypted files, which can no longer be opened. Then a unique decryption key is generated which is believed to be sent out to the command and control servers of the cyber-criminals. The encrypted files look like the picture below after the process is complete:


Remove Dharma Ransomware and Restore .Dharma Files

The conclusion for the Dharma virus is that the threat may be either developed by someone with coding skills who took an open source code or be a part of a ransomware as a service (RAAS) scheme. So far it is difficult to tell, but it may be an iteration of Shade or Globe ransomware. Whatever the case may be, we will update this article with more information if a decryptor is released. This is why we advise you to backup your files and use the instructions in this article to remove Dharma ransomware.

In order to remove the virus, we have posted below steps on how to achieve it manually, or unless you lack malware removal experience, how to do it swiftly and automatically with an anti-malware tool.

After the removal of Dharma, we also advise you to focus on trying the alternative techniques in step “2. Restore files encrypted by Dharma” below. They are a good temporary solution that may just work if you are lucky, but they have not been tested on Dharma yet, this is why you should back up the encrypted files, before beginning.

Manually delete Dharma from your computer

Note! Substantial notification about the Dharma threat: Manual removal of Dharma requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Dharma files and objects
2.Find malicious files created by Dharma on your PC

Automatically remove Dharma by downloading an advanced anti-malware program

1. Remove Dharma with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by Dharma
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.