A ransomware virus, carrying the name Dharma which means righteousness in Indian, has been released in a new variant. The second version of the virus is reported to be even more dangerous than it’s first iteration, encrypting files in a very cunning way enough to render them no longer openable and adding the email@example.com file extension. The v2 Dharma is also more focused on encrypting PE types of files as well. Since the new Dharma gives a deadline of 72 hours, users are often advised not to pay any ransom in BitCoin requested by the crooks at firstname.lastname@example.org. Instead, we recommend reading this article to get familiar with the second version of Dharma ransomware and learn alternative ways to remove the virus files and restore your data.
|Short Description||Dharma encrypts user files and leaves as contact e-mail addresses to contact the criminals behind it and pay the ransom fee.|
|Symptoms||Changes file extension of encrypted files to [email@example.com]. Changes wallpaper to one with ransom instructions that have the backup ransom e-mail – firstname.lastname@example.org.|
|Detection Tool|| See If Your System Has Been Affected by Dharma |
Malware Removal Tool
|User Experience||Join our forum to Discuss Dharma.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
Dharma Ransomware – How Did I Get Infected
This particular type of ransomware virus is very cunning in it’s methods of spreading, primarily because it uses heavy obfuscation for the infection malware. Proof of this is the fact that during the first detections, VirusTotal reports that only 7 of 56 Antivirus programs have managed to detect it:
The most conventional methods of distributing such malicious files/scrips are either via malicious web links or files. Therefore, the malicious files exhibited with Dharma ransomware may be slithered in every way possible into your computer which supports those two objects. One method may be the sending of fake phishing e-mails which contain a malicious attachment causing the infection or a URL, while other more unconventional methods may involve torrents, social media and even chat services.
More about Dharma Ransomware
The Dharma virus is very particular in what it does after an infection takes place. Initially, it may make sure that it shuts down all of the processes related to any security software or Windows defense that may stop the encryption from happening. This includes injection scripts in important Windows processes, like sysdm.cpl or svchost.exe. Then the new Dharma ransomware may delete any backups on the encrypted computer, such as backups related to shadow volume copies, if file history is enabled on the compromised computer.
But Dharma ransomware may also have other defensive features as well. One of those features may be to shut down or self-delete if the virus is run in a virtual environment.
To encrypt user files, Dharma ransomware is going to look for files that are often opened and used, like documents, databases, pictures, videos, music and other types of files. Then it may append either RSA or AES or a combination of both of those or other weaker ciphers to render encrypted files no longer able to be opened. The virus also adds it’s distinctive e-mail as a file extension to the encrypted files:
After the encryption is complete, the virus changes the wallpaper of the encrypted computer, which allows Dharma to notify the user to contact the e-mail of the cyber-criminals for further instructions/negotiations. The ransom note on the wallpaper has the following instructive message, calling the user a friend:
→ “//hallo, our dear friend!
//looks like you have some troubles with your security.
//all your files are now encrypted.
//using third-party recovering software will corrupt your data.
//you have only one way to get them back safely – using our decryption tool.
//to get original decryption tool contact us with email. In subject like write your ID, which you can find in name of every crypted file, also attach to email 3 crypted files.
//it is in your interest to respond as soon as pissible to ensure the restoration of your files, because we won’t keep your decryption keys at our servers more than 72 hours in interest of our security.
//P.S. only in case you don’t receive a response from the first email address within 24 hours, please use this alternative email address.
Even though the ransom note in the wallpaper set by Dharma is “motivating”, experts advise users not to give in to the fear and not discuss anything with the crooks. Instead, it is recommended to remove Dharma and focus on restoring your files using alternative methods.
Remove Dharma Ransomware and Restore Enciphered Files
To delete Dharma completely and effectively, you may want to follow the universal removal instructions for ransomware below. However, if you believe that Dharma ransomware’s removal is difficult to perform manually, experts recommend that the best way to perform the removal is by downloading and installing an advanced anti-malware scanner on the compromised computer to perform the removal automatically.
Whatever the case may be, after the removal of the new Dharma virus, we suggest that you focus on backing up the files that have been encrypted for when a decryptor is released. Not only this, but we also advise that you try some alternative methods to restore the files, like the ones we mentioned in step “2. Restore Files Encrypted by Dharma” below. They have not yet been tested on Dharma, and this is why we advise that you create copies of the encrypted files if you attempt them.