.arena Files Virus (Dharma Ransomware) – Remove and Restore Data

.Arena Files Virus (Dharma Ransomware) – Remove and Restore

This article aims to help you by showing you how to remove the latest Dharma ransomware variant and how to restore files encrypted with the .arena file extension by it.

A new version of Dharma ransomware has been detected out in the wild. The Dharma ransomware is a cryptovirus that has evolved from the CrySiS variants which were decryptable when they were released. It aims to encrypt your files and make them no longer able to be opened unless they are unlocked with a special decryption software available only to the cyber-criminals. If you have become one of the victims of Dharma .arena ransomware, we recommend that you read the following article in order to familiarize yourself with the virus and learn how to remove it and try to get your encrypted files working without having to pay to cyber-crooks.

Threat Summary

Name.arena Dharma Virus
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the infected computer and then demands from victims to pay a ransom “fee” in order to send decryption software.
SymptomsFiles are encrypted with the file extension set as the e-mail for contact and the .arena suffix. The ransom note FILES ENCRYPTED.txt also appears.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .arena Dharma Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .arena Dharma Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.arena File Virus – Update December 2017

In the beginning of December, another ransomware started using the .arena extension to mimick the .arena file virus in a way. Currently, the reason is unknown, but the virus mimicking the extension is a variant of GlobeImposter. As to the extension of the GlobeImposter variant – the variant spotter by malware researchers uses precisely the following extension:

  • .[paradisecity@cock.li].arena

That is used as a secondary extension, retaining the original one of encrypted files, which is typical for most GlobeImposter versions.

Update October 2017: The arena variant of Dharma ransomware is continuing to spread with new e-mail spam campaigns as well as multiple other methods.

How Does .arena Dharma Infect

Similar to it’s predecessor CrySiS ransomware, Dharma can be “delivered”via multiple methods. The primary one of those methods is if the virus is spread via spammed e-mails which have either:

  • A malicous fle uploaded as an e-mail attachment.
  • A web link leading to the automatic download of the malicious file.
  • A web link which directly causes the infection.
  • A malicious script causing the infection after you simply open to read the e-mail message (rare occurrence).

When cyber-criminals upload files in the e-mails sent by them, they make sure that those files are heavily concealed so that the e-mail protection system does not block them. This is why they either change the extension of the malicious infection file, for example “.r03” or archive it in a .zip or .rar or other format. The messages aim to convince victims with false statements that the e-mail attachment is legitimate, for example.

“Attached is the copy of your payment receipt.”

.arena File Ransomware – Malicious Activity

After it has encrypted the files on a infected PC, the Arena ransomware virus aims to perform multiple different actions on the computers infected by it. The first of those is to drop its malicious files on the infected computer. They can be located in the following Windows folders:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%
  • %Temp%

Among those files may be the ransom note of this virus, named FILES ENCRYPTED.txt and having the following message to victims:

All your data has been locked us
You want to return?
write email sindragosa@bigmir.net

When the files are dropped, some of them may be excecuted automatically and may run different functions. These functions aim to grand Dharma ransomware with administrative permissions over the infected computer, allowing it to perform different modifications on it. One of those modifications is to create registry entries in multiple different Windows Registry sub-keys, such as the Run and RunOnce keys, responsible for auto running files on Windows Start:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

In addition to this, Dharma ransomware may also execute batch files (.bat) to run commands in the Windows Command Prompt as administrator. This allows the virus to stop system processes and delete the Volume Shadow Copies (backed up files) on the infected comptuer, preventing any file recovery via this method:

→ vssadmin delete shadows /for={volume} /oldest /all /shadow={ID of the Shadow} /quiet

.arena File Virus – Encryption

In order to encrypt the files on the computer, the .arena version of Dharma ransomware uses the AES encryption algorithm. It makes it possible so that the files targeted by Dharma to be rendered temporarily useless, generating a unique decryption key that is believed to be asymmetric.

The files encrypted by .arena file virus are reported to be often used file types, such as documents, audio files, pictures and others. The virus targets files of commonly used file types, like the following:


After the files are detected and encrypted, they assume the following looks:


The files can no longer be opened and the victim is asked to contact the e-mail where further instructions are received on how to make a payment to get the decryptor. Paying the cyber-criminals is highly inadvisable, primarily because it may result in supporting criminal activity and you may not get your decryptor as promised.

Remove Dharma Ransomware and Restore .arena Encrypted Files

In order to remove this ransomware virus, we strongly suggests to backup your files firstly and then to follow the instructions for decryption and removal below. If you lack the experience in manual malware removal, experts often advise users to turn to an advanced anti-malware software which not only performs the removal automatically, but also protects your computer in the future as well.

In order to restore files that have been encrypted by this ransomware virus, you can try to restore them using the alternative file recovery instructions below in step “2. Restore files encrypted by .arena Dharma”. They are not 100% effective but they may recover some encrypted files.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share