.bgtx Files Virus (Dharma Ransomware) – Remove + Restore Data

.bgtx Files Virus (Dharma Ransomware) – Remove + Restore Data

This article is created with the main idea to help explain what is the latest Dharma Ransomware variant and how you can remove it plus restore .bgtx encrypted files.

Dharma ransomware does not sleep and it has proven that again with a new dangerous variant that has been set loose. The new Dharma now appends the .bgtx file extension which it adds to the encrypted files and retains the extension format, like the older .combo variantFilename.id{ID-here}.[decrypt@fros.cc].bgtx. The new ransomware variant of Dharma aims to encrypt the files on your computer thus making them unable to be opened and then leaves behind a ransom note which aims to extort victims to pay ransom to get their files back. If your computer has been infected by the .bgtx file variant of Dharma ransomware, we recommend that you read this article completely and learn how to remove this Dharma ransomware variant and how to try and restore files, encrypted by it on your PC.

Threat Summary

NameDharma .bgtx Ransomware
Short DescriptionNew Dharma/CrySiS ransomware virus. Uses sophisticated encryption to extort victims to pay in BitCoin for their encrypted files.
SymptomsEncrypts documents, images, videos and other important files and adds the .bgtx file suffix plus a unique ID and the e-mail to pay the ransom.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Dharma .bgtx Ransomware


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Dharma .bgtx Ransomware.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.combo Dharma Ransomware – Information Database:

.bgtx Dharma Virus - Infection Methods

.bgtx Dharma Virus – Infection Methods

Dharma ransomware is no ordinary virus, hence it uses no ordinary infection methods. The main indicator of compromise that has been detected to drop the malicious files of Dharma is reported at VirusTotal to have the following specifications to it:

File size:219.5 KB

The file may be spread via different methods, but the main suspect is to be replicated via e-mail. This happens when the crooks carefully disguise an e-mail to contain a malicious attachment. Usually most attachments pretend to be .PDF or .docx files and they pose as legitimate files of great importance, for example:

  • Order rejection details.
  • Invoice for a purchase
  • Receipt for something you may have bought.
  • Important security document from your bank.
  • Document from your boss or a collegue.

These e-mails are carefully made so that they appear to come from big companies, like FedEx, PayPal, LinkedIn or other big companies. Some of the e-mails pretend as If they come from a reputable person or someone on your e-mail list of contacts. The messages always urge to open the attachment as it is “very important”:

Furthermore, .bgtx Dharma virus is also detected to use a very complicated infection method, attaching russian-speaking tarets and disguising messages as some form of accounting information. The contents of the e-mails appear as if senders send some type of spreadsheet or data information that is important. The files are always attached to the message and if not, they are linked to an external Dropbox or other file-sharing account.

The crooks are also able to deliver archived files, which do contain files that pretend to be documents. When opened, they may automatically initiate connection with the payload download server or extract the payload of Dharma directly on the victim PC.

In addition to this, the .bgtx variant of Dharma ransomware may also be spread via different programs that are uploaded on low-reputation sites, such as software cracks, patches, license activators, loaders, portable versions of freeware apps and many other .exe files, so be careful and always check files before downloading them.

Dharma .bgtx Ransomware- Malicious Activity

Dharma .bgtx Ransomware- Malicious Activity

Dharma ransomware viruses have been active for significant time and they have gained quite the name for themselves as being one of the most widespread ones. They derive from the CrySiS ransomware family with the first Dharma variant, naturally carrying the .dharma file suffix it used to append to the files and the variant itself was decryptable. But the Dharma makers did not stop there and have now released a lot of other variants of the malware, most of which are not decryptable. Some of these variants can be seen below:

And now we come to this point, where the current Dharma variant uses the .bgtx file extension which it ads to the encrypted files alongside a new e-mail address.

After an infection with the .bgtx Dharma variant occurs, not much is changed in the malicious actions the virus performs on your computer:

  • Creation of several mutexes.
  • Creating value strings with custom data in Windows Registry Editor.
  • Deleting bakckups and shadow copy files.
  • Scheduling tasks to run maliciou files or it’s ransom note on startup.
  • Disabling restore points and system recovery.
  • Changing your wallpaper.
  • Modifying sysem files (touching).

Dharma .bgtx ransomware may also drop it’s malicious files under different, often random names in the commonly targeted Windows directories:

When Dharma ransomware has dropped it’s files, the malware also interferes with the Windows Registry Editor by creating registry value entries in the Run and RunOnce sub-keys of Windows Registry Editor. They have the following location:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

When Dharma .bgtx variant creates value strings in those sub-keys, the virus adds the location of the encryption file, so finding them is a crucial step towards finding where the malicious file of the malware is located.

Dharma .bgtx ransomware may also execute a script as an administrator in Windows Command Prompt. The script aims to delete the shadow volume copies in Windows and disable any backups. It may consist of the following commands:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

Dharma .bgtx Ransomware Virus - Encryption

Dharma .bgtx Ransomware Virus – Encryption

When Dharma ransomware encrypts files, the virus may employ the Advanced Encryption Standard, also known as AES. The cipher uses an asymmetric key generation which produces a key that is then masked and cannot be read by the victim. The algorithm is a very tough one to decrypt as it’s classified as a Suite.B type of cipher, used by government agencies to encrypt files that are sensitive. The cipher could however be decrypted if there is a bug in the code of Dharma .bgtx that allows it do be done.

The encryption process of Dharma .bgtx ransomware begins with scanning for the specific file types the virus will encrypt. These file types include often used files, such as files with the following extensions:


Dharma ransomware may skip encrypting files in the folders we mentioned below, as they are system folders of Windows and the victim still needs his or her computer to pay the ransom:

  • %Local%
  • %Temp%
  • %Windows%
  • %System%
  • %Program Files%
  • %System32%

The encryption process itself comprises of several chain of actions that take place. To sum those up, Dharma simply creates a copy of your original file, which it encrypts and adds the .bgtx file extension plus a unique ID and the e-mail of the crooks(decrypt@fros.cc). Dharma ransomware then deletes the original file, leaving only the encrypted file, looking like the image below shows:

How to Remove Dharma and Restore .bgtx Encrypted Files

Removing Dharma ransomware does require some technical expertise. This is why, before trying the removal yourself, we do advise that you backup your files, even if they are encoded.

For the removal, you can follow the instructions we have prepared for you below and use them plus the data in this article to help you remove Dharma manually. If manual removal does not seem to help or you feel unsure that you have removed Dharma from your PC, the best method according to researchers is to remove the virus files, using an advanced anti-malware program. Such specific tool will try to scan for and automatically get rid of all Dhamra .bgtx – related files and objects and then erase them permanently. It also has protection mechanisms that will actively protect your PC against future intrusive programs or viruses.

If you want to decrypt files, encrypted by Dharma, we strongly recommend that you follow the instructions in step “2. Try to restore files..” below. It is no guarantee to help you restore all of the files encrypted by this Dharma variant, but it may help you recover at least some of the files.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share