The .kharma virus is a new Dharma ransomware sample that is currently set against target end users on a global scale. There is no information available about the hacking group behind it. It is believed to be a new iteration of the famous ransomware family. This is one of the reasons why we believe that the hackers are experienced.
Once the .kharma virus has started it will execute its built-in sequence of dangerous commands. Depending on local conditions or the specific hacker instructions various actions will take place. The file encryption will begin after them — the encrypting component will use a built-in list of target file type extensions. In the end the victim files will be renamed with the .kharma extension.
|Short Description||The ransomware encrypts files on your computer machine and demands a ransom to be paid to allegedly restore them.|
|Symptoms||The ransomware will blackmail the victims to pay them a decryption fee. Sensitive user data may be encrypted by the ransomware code.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by .kharma Virus |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss .kharma Virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
.kharma Virus – Spread and Impact
The Dharma ransomware family has grown with a new sample which is identified as the .kharma virus. Information about it was poted onlne in a Twitter report by the virus researcher Raby. Together with information posted in the security community we have confirmed that the attacks are ongoing and set against users worldwide.
At the moment there is no information about the hacking group an their exact targets, as such we assume that the most popular strategies are to be used by the criminals when it comes to distribution. Ransomware samples are easily delivered to the target users by means of social engineering. This is done by operating scam sites or sending out bulk email messages that impersonate companies or services. By falling victim to them the virus will be installed. The scam pages can be hosted on similar sounding domain names that includes security certificates that may be self-signed.
The virus code can be placed in malware files such as malware documents across all popular formats and also dangerous setup installers of widely used software. These files can be spread on file-sharing networks like BitTorrent and also on social networks where using fake or hacked accounts links to the data can be posted.
Other distribution techniques can be used as well. Based on the activity and code analysis we can state that the .kharma virus is similar in activity to previous Dharma versions.
.kharma Virus – What Does It Do?
The Dharma ransomware viruses continue to develop as is the case with the .kharma sample. The security researchers have given us a sample code to study giving us information about its current state. What we know is that the virus files can take the form of executables that will immediately start the built-in actions.
At the moment the modules which are run include the setting up of a file removal component. This is set to locate, identify and delete Shadow Volume Copies. This means that file recovery will be made very difficult unless a professional-grade recovery solution is used. The next step in the process is the manipulation of the Task Manager in order to extract detailed information about the running processes. The data is saved in a format that can be easily read by the hackers. The information can be automatically sent to them during execution or after that.
The captured samples include an execution of a final component before the encryption is started. This part can be customized to include a lot of different functionality:
- Information Gathering — The engine can be used to seek for sensitive information that can reveal the identity of the victims or machine information. All of this can be used for other crimes such as identity theft and financial abuse.
- Additional Malware Installations — The .kharma virus can be used to install other threats such as Trojans and miners.
- Boot Options — The malware engine can be used to modify the configuration files and settings of the system which will automatically start the ransomware engine as soon as the computer is booted. In some cases this method will also disable access to the recovery boot options.
- Windows Registry Changes — Some of the advanced samples have been found to edit existing values in the Windows Registry or create new ones. This can lead to problems such as performance issues, data loss and unexpected errors.
We remind our readers that infections with the Dharma ransomware can cause not only computer damage, but also sabotage as was the case with the hacked garage of the Canadian Domain Authority.
.kharma Virus – The Encryption Phase
When all components have finished running the actual ransomware will be run. As strong cipher will be used to process user data and make it inaccessible. Commonly this is done against the most popular files which may include any of the following:
- Multimedia Files
- System Configuration Files
The ongoing attack campaign which we are actively tracking creates a ransom note in a file called RETURN FILES.txt. It will blackmail the victims by sating that they need to pay the hackers a fee in order to restore access to their data. The victim data will be renamed with the .kharma extension and preceded by the hacker’s email contact address in brackets. In this case there are two registered accounts used in the campaign which we have analyzed — firstname.lastname@example.org and email@example.com.
Dharma ransomware versions are also known for displaying the ransom note in a pop-up window which is also known as a lockscreen. This is very effective as it can block the users from interacting with the computers in the ordinary way.
Remove .kharma Virus
If your computer system got infected with the .kharma Files ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.