.boost Files Virus (Dharma Ransomware) – Remove and Restore Data

.boost Files Virus (Dharma Ransomware) – Remove and Restore Data

remove .boost files virus dharma ransomware sensorstechforum guide

This is an article that provides specific details on .boost files virus as well as a detailed guide with removal steps and alternative data recovery approaches.

Owners of the notorious Dharma ransomware have released yet another version of their threat in active attack campaigns. This time the ransomware is set to append the extension .boost to all files it encodes. The purpose of data corruption remains the same – ransom payment. In case of infection with this Dharma .boost variant, you won’t be able to access the information stored by important files until you apply an efficient data recovery solution. Our advice is to avoid following the instructions from the ransom note as their completion does not guarantee the recovery of your encrypted data.

Threat Summary

Name.boost Files Virus
TypeRansomware, Cryptovirus
Short DescriptionA version of the CrySyS/Dharma ransomware family that is designed to encrypt valuable files stored on infected computers and then extort a ransom from victims.
SymptomsImportant files are encrypted and renamed with the extension .boost. A ransom note appears on PC screen to present ransom payment instructions.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .boost Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .boost Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.boost Files Virus – Distribution

There are several ways which may be used for the distribution of this version of Dharma ransomware. One of those methods is known to be malwspam. It provides hackers the chance to spread corrupted files of common file types in massive email campaigns. The emails are usually disguised as legitimate ones. However, their purpose is to trick you into opening corrupted files with embed malicious code on your device and this way trigger the ransomware payload. A variety of common file types such as documents, PDFs, images could be transformed into carriers of ransomware code.

These files are often presented as the following:

  • Invoices coming from reputable sites, like PayPal, eBay, etc.
  • Documents from what appears to be the victim’s bank.
  • An online order confirmation note.
  • Receipt for a purchase.
  • Others.

The malware authors may be also using compromised sites to spread this .boost Dharma ransomware infection. This method enables them to upload the ransomware configuration file to a compromised web page and set its automatic execution after a registered visit of this page.

.boost Files Virus – Overview

An infection with .boost files virus begins when its payload is started on the system. Upon successful execution it enables the ransomware to plague large number of system components and reach the main stage which is data encryption.

In the beginning of the infection process it could drop or create additional malicious files that will support the completion of the attack. Some of these files may be located in the following system folders:

  • %Roaming%
  • %Windows%
  • %AppData%
  • %Local%
  • %Temp%

Among the malicious activities performed by .boost files virus are modifications of registry keys. By creating certain registry values in the Run and RunOnce Windows registry sub-keys it could set up its files to run automatically on each system boot.
These changes could be noticed when you enter the following registry sub-keys locations:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

These sub-keys are used when the virus wants to load its ransom note on the screen. The note is dropped during the infection process. The note could be copied several times so that it could appear on your desktop as well as in folders with corrupted files.

.boost Files Virus – Encryption Process

Alike some of the previous versions (.combo, .arrow, .bkp, etc.) Dharma .boost crypto virus needs to utilize its built-in encryption module for the completion of its main purpose. It could be configured to transform target files with the help of one or two cipher algorithms one of which is the AES. Following encryption, valuable files become inaccessible due to essential changes of their code. Unfortunately, all of your important files could be affected by the ransomware including your:

  • Audio files.
  • Videos.
  • Image files.
  • Databases.
  • Archives.

A visible trait of all corrupted files is the distinctive extension .boost that appears at the end of their names. In addition, all .boost files will have other two extensions appended to their names. As discovered by security researchers Dharma .boost ransomware uses the following rename pattern for files it encrypts:

  • Original file name – original file extension – victim ID – hackers’ contact email – boost

For example, you could see how a file that was originally named project1.docx will appear like shown in the image below:


During the encryption process, the ransomware generates unique decryption key that supposedly could recover the original code of corrupted files. In order that hackers could extort a ransom from their victims, their threat is configured to transfer the key to their server immediately after the encryption stage. However, there is no guarantee that the generated key could restore data as only a single bug in the code could break it.

Remove .boost Files Virus and Restore Data

Below you could find how a step-by-step removal guide that may be helpful in attempting to remove this .boost files virus. The manual removal approach demands practice in recognizing traits of malware files. Beware that ransomware is a threat with highly complex code that plagues not only your files but your whole system. So it should be secured properly before it could be used regularly again.

For alternative data recovery methods make sure to read thoroughly the information under “Restore Files” step form our guide. Beware that before recovery process you should back up all encrypted files to an external drive in order to prevent their irreversible loss.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for four years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share