.gif Files Virus (Dharma) – How to Remove It

.gif Files Virus (Dharma) – How to Remove It

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

This blog post has been made with the primary purpose to explain to you how you can remove the .gif file variant of Dharma ransomware virus and show you how to try and recover files encrypted with the .gif extension added to them.

Dharma ransomware is a virus that has kept hitting victims with a lot of different variants. It’s current variant now officially uses the .gif file extension which it ads to the computers of users. The ransomware virus aims to render the files on the computers attacked by it no longer openable and then asks victims to pay ransom in order to retrieve access to the data. If your computer has become a victim of the .gif Dharma ransomware, we recommend you to read this article thoroughly.

Threat Summary

Name.gif Files Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encipher the files on the computers compromised by it and then ask victims to pay to get them back.
SymptomsFiles have the .gif extension and can no longer be opened.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .gif Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .gif Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.gif Dharma Ransomware – Distribution Methods

For the .gif variant of Dharma ransomware virus to infect computers, there may be several strategies used, starting with e-mail spam messages. These e-mails may carry malicious e-mail attachments, that pretend to be:

  • Invoices.
  • Receipts.
  • Banking documents.
  • “Account compromised” type of reports.

The malicious attachments are often in a .ZIP archive and they are usually the following malicious file types:

  • .JS (JavaScript).
  • .DOCX (Microsoft Word Document with malicious macros).
  • .PDF (Malicious Macro embedded Adobe reader file).
  • .VBS (Visual Basic Script file).

The ransomware may also infect computers by having it’s malicious files to be uploaded on suspicious websites, where they often pose as:

  • Cracks for software or games.
  • License activators.
  • Key generators.
  • Portable versions of programs.

.gif Dharma Ransomware – Analysis

The .gif variant of Dharma ransomware first drops it’s payload files on the infected machines by it. The files may reside in the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

The virus may then start to modify the Windows Registry Editor by inserting value entries with data alognside them in the following sub-keys:

→ HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\Background
HKEY_CURRENT_USER\Control Panel\Desktop\ScreenSaveTimeOut
HKEY_CURRENT_USER\Control Panel\Desktop

Similar to other Dharma variants, the .gif version of Dharma ransomware may also delete the shadow volume copies of the infected computer by running the following commands as an administrator in Windows Command Prompt:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

The virus also automatically opens Dharma’s usual ransom note, which looks like the following:

.gif Dharma Ransomware – Encryption Process

For the .gif variant of Dharma ransomware to encrypt the files on the compromised computer, the virus may perfom a scanning process first. It detects each file that is among the following file types:


After the .gif variant of Dharma ransomware detects the files, they are encrypted and appended the .gif extension:

The ransomware’s end goal is to get victims to pay ransom to get the decryption key or decryption software, which can unlock the files.

Remove Dharma Ransomware and Try Restoring .gif Files

Before starting to remove Dharma ransomware from your computer, we recommend that you do a fresh backup of your files even if they are encrypted.

To remove Dharma ransomware, we would reccomed that you follow the removal manual that is underneath this article. It is made in order to help you delete the virus files either manually (first two steps) or automatically. If manual removal does not work, we would advise what most cybersecurity experts would and that is to run a scan using an anti-malware software. It will detect and remove any files and malicious objects related to Dharma ransomware on your computer.

If you want to restore files, encrypted by Dharma ransomware, we recommend trying the alterantive methods underneath. They have been created in order to assist you in recovering as many encrypted files as possible, but be aware that they come with no guarantee to work.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share