.AUF Files Virus (Dharma) – How to Remove It
THREAT REMOVAL

.AUF Files Virus (Dharma) – How to Remove It

This blog post is made to explain what is the .AUF variant of Dharma ransomware virus and how you can try to remove it and attempt to recover .AUF encrypted files.

Yet another version, belonging to the CrySis/Dharma ransomware family has been detected. The malware appends the .AUF file extension to the files which are encrypted by it and then asks victims to pay ransom in BitCoin to get the files to work once again. If your computer has been attacked by the .AUF variant of Dharma ransomware, we suggest that you read this article as it will help you to understand more about the virus’s activity, encryption and removal.

Threat Summary

Name.AUF Dharma Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on the computers that have been infected by it and then add the .AUF file extension to the encoded files to extort victims to pay ransom to get them back.
SymptomsFiles cannot be opened and have the .AUF suffix added to them. The virus drops a ransom note, containing the extortionist message and the e-mail [email protected]
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .AUF Dharma Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .AUF Dharma Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.AUF Dharma Virus – Infection

There are several possible infection strategies that may be used to conduct infection activities with the .AUF variant of Dharma ransomware. These often include the usage of malicious files or web links. The first and most common method is to spread an infection file of this Dharma variant is via malicious e-mails that are directly sent to victims via various different types of spam campaigns. These campaigns carry attachments that may contain:

  • Malicious macro-enabled documents.
  • Files that lead to malicous macro documents.
  • JavaScript files.
  • Executable files.
  • Other types of infection files.

In addition to this, the ransomware virus may also attack you passively by uploading the malicious files over the web. There, they may reside patiently waiting to be downloaded, while posing as:

  • Cracks.
  • Patches.
  • Keygens.
  • License updaters.
  • Portable programs.
  • Setups.

.AUF Dharma Ransomware – Activity

Similar to other Dharma ransomware variants, like the .combo one, the .AUF virus aims to encrypt the files and then get the victims to pay ransom to get them back. Most of the viruses hsare similar code, and they may also be similar in the way they encrypt their files.

When the .AUF variant of Dharma ransomware infects your PC, the malware may run the following actions on your computer:

  • Mutex creation.
  • Windows Registry Editor modifications.
  • Deletion of backups.
  • Creation of scheduled tasks.
  • System recovery disabling.
  • Changing of wallpapers and running of files automatically.
  • Modifying system files.

The .AUF variant of Dharma ransomware first drops the malicious files on the victim PC, where they may have different types of names, for example:

After dropping the malicious files on the computers of victims, the .AUF variant of Dharma ransomware may also attack the Run and RunOnce registry sub-keys of the infected computer. They are sub-keys, located in the Windows Registry Editor and are responsible for running files on Windows start up. In them, Dharma may create value entries with the location of the malicious files it wants to run on Windows start up:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\

In addition to this, the latest iteration of Dharma ransomware, may also delete the backed up files on your computer by executing the following command as an administrator in Windows Command Prompt:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

Dharma ransomware may also drop it’s ransom note file, which appears like the following:

Dharma .AUF Virus – Encryption Process

Dharma ransomware aims to encrypt the following files on your computer:

→ .ebd, .jbc, .pst, .ost, .tib, .tbk, .bak, .bac, .abk, .as4, .asd, .ashbak, .backup, .bck, .bdb, .bk1, .bkc, .bkf,
.bkp, .boe, .bpa, .bpd, .bup, .cmb, .fbf, .fbw, .fh, .ful, .gho, .ipd, .nb7, .nba, .nbd, .nbf, .nbi, .nbu, .nco,
.oeb, .old, .qic, .sn1, .sn2, .sna, .spi, .stg, .uci, .win, .xbk, .iso, .htm, .html, .mht, .p7, .p7c, .pem, .sgn,
.sec, .cer, .csr, .djvu, .der, .stl, .crt, .p7b, .pfx, .fb, .fb2, .tif, .tiff, .pdf, .doc, .docx, .docm, .rtf,
.xls, .xlsx, .xlsm, .ppt, .pptx, .ppsx, .txt, .cdr, .jpe, .jpg, .jpeg, .png, .bmp, .jiff, .jpf, .ply, .pov, .raw,
.cf, .cfn, .tbn, .xcf, .xof, .key, .eml, .tbb, .dwf, .egg, .fc2, .fcz, .fg, .fp3, .pab, .oab, .psd, .psb, .pcx,
.dwg, .dws, .dxe, .zip, .zipx, .7z, .rar, .rev, .afp, .bfa, .bpk, .bsk, .enc, .rzk, .rzx, .sef, .shy, .snk, .accdb,
.ldf, .accdc, .adp, .dbc, .dbx, .dbf, .dbt, .dxl, .edb, .eql, .mdb, .mxl, .mdf, .sql, .sqlite, .sqlite3, .sqlitedb,
.kdb, .kdbx, .1cd, .dt, .erf, .lgp, .md, .epf, .efb, .eis, .efn, .emd, .emr, .end, .eog, .erb, .ebn, .ebb, .prefab,
.jif, .wor, .csv, .msg, .msf, .kwm, .pwm, .ai, .eps, .abd, .repx, .oxps, .dot.

The encryption is conducted with the aid of AES encryption algorithm, also known as Advanced Encryption Standard. After the encryption has finished, the files are left with the .AUF file extension and they can no longer be opened:

Remove Dharma Ransomware and Restore .AUF Encrypted Files

If you want to remove this Dharma ransomware variant, we would suggest that you follow the removal instructions that are underneath this article. They have been created with the main purpose of helping you remove as many virus files as possible. If manual removal does not seem to have any effect, however, we would advise you to do what most cyber-security experts would and run a scan on your PC, using an advanced anti-malware software. Such program aims to not only automatically detect and delete all malicious files and objects, but will also protect your machine against future infections as well.

If your goal is to recover files, encrypted by Dharma ransomware, we will have you know that you can try using the methods we have liste in the “Try to restore” step below. They may not be a complete guarantee to be able to recover all the files, but with their aid you might be able to restore at least some data.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...