.arena Files Virus (Dharma Ransomware) – Remove and Restore (2017)

.Arena Files Virus (Dharma Ransomware) – Remove and Restore

This article aims to help you by showing you how to remove the latest Dharma ransomware variant and how to restore files encrypted with the .arena file extension by it.

A new version of Dharma ransomware has been detected out in the wild. The Dharma ransomware is a cryptovirus that has evolved from the CrySiS variants which were decryptable when they were released. It aims to encrypt your files and make them no longer able to be opened unless they are unlocked with a special decryption software available only to the cyber-criminals. If you have become one of the victims of Dharma .arena ransomware, we recommend that you read the following article in order to familiarize yourself with the virus and learn how to remove it and try to get your encrypted files working without having to pay to cyber-crooks.

Threat Summary

Name.arena Dharma Virus
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the infected computer and then demands from victims to pay a ransom “fee” in order to send decryption software.
SymptomsFiles are encrypted with the file extension set as the e-mail for contact and the .arena suffix. The ransom note FILES ENCRYPTED.txt also appears.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .arena Dharma Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .arena Dharma Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Update October 2017: The arena variant of Dharma ransomware is continuing to spread with new e-mail spam campaigns as well as multiple other methods.

How Does .arena Dharma Infect

Similar to it’s predecessor CrySiS ransomware, Dharma can be “delivered”via multiple methods. The primary one of those methods is if the virus is spread via spammed e-mails which have either:

  • A malicous fle uploaded as an e-mail attachment.
  • A web link leading to the automatic download of the malicious file.
  • A web link which directly causes the infection.
  • A malicious script causing the infection after you simply open to read the e-mail message (rare occurrence).

When cyber-criminals upload files in the e-mails sent by them, they make sure that those files are heavily concealed so that the e-mail protection system does not block them. This is why they either change the extension of the malicious infection file, for example “.r03” or archive it in a .zip or .rar or other format. The messages aim to convince victims with false statements that the e-mail attachment is legitimate, for example.

“Attached is the copy of your payment receipt.”

.arena File Ransomware – Malicious Activity

After it has encrypted the files on a infected PC, the Arena ransomware virus aims to perform multiple different actions on the computers infected by it. The first of those is to drop its malicious files on the infected computer. They can be located in the following Windows folders:

  • %AppData%
  • %Roaming%
  • %Local%
  • %LocalLow%
  • %Temp%

Among those files may be the ransom note of this virus, named FILES ENCRYPTED.txt and having the following message to victims:

All your data has been locked us
You want to return?
write email [email protected]

When the files are dropped, some of them may be excecuted automatically and may run different functions. These functions aim to grand Dharma ransomware with administrative permissions over the infected computer, allowing it to perform different modifications on it. One of those modifications is to create registry entries in multiple different Windows Registry sub-keys, such as the Run and RunOnce keys, responsible for auto running files on Windows Start:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\

In addition to this, Dharma ransomware may also execute batch files (.bat) to run commands in the Windows Command Prompt as administrator. This allows the virus to stop system processes and delete the Volume Shadow Copies (backed up files) on the infected comptuer, preventing any file recovery via this method:

→ vssadmin delete shadows /for={volume} /oldest /all /shadow={ID of the Shadow} /quiet

.arena File Virus – Encryption

In order to encrypt the files on the computer, the .arena version of Dharma ransomware uses the AES encryption algorithm. It makes it possible so that the files targeted by Dharma to be rendered temporarily useless, generating a unique decryption key that is believed to be asymmetric.

The files encrypted by .arena file virus are reported to be often used file types, such as documents, audio files, pictures and others. The virus targets files of commonly used file types, like the following:

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRF Encoded Files .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJ R.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”

After the files are detected and encrypted, they assume the following looks:

Filename.jpg.[[email protected]].arena

The files can no longer be opened and the victim is asked to contact the e-mail where further instructions are received on how to make a payment to get the decryptor. Paying the cyber-criminals is highly inadvisable, primarily because it may result in supporting criminal activity and you may not get your decryptor as promised.

Remove Dharma Ransomware and Restore .arena Encrypted Files

In order to remove this ransomware virus, we strongly suggests to backup your files firstly and then to follow the instructions for decryption and removal below. If you lack the experience in manual malware removal, experts often advise users to turn to an advanced anti-malware software which not only performs the removal automatically, but also protects your computer in the future as well.

In order to restore files that have been encrypted by this ransomware virus, you can try to restore them using the alternative file recovery instructions below in step “2. Restore files encrypted by .arena Dharma”. They are not 100% effective but they may recover some encrypted files.

Manually delete .arena Dharma Virus from your computer

Note! Substantial notification about the .arena Dharma Virus threat: Manual removal of .arena Dharma Virus requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove .arena Dharma Virus files and objects
2.Find malicious files created by .arena Dharma Virus on your PC

Automatically remove .arena Dharma Virus by downloading an advanced anti-malware program

1. Remove .arena Dharma Virus with SpyHunter Anti-Malware Tool and back up your data
2. Restore files encrypted by .arena Dharma Virus
Optional: Using Alternative Anti-Malware Tools

Vencislav Krustev

A network administrator and malware researcher at SensorsTechForum with passion for discovery of new shifts and innovations in cyber security. Strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.