.php Files Virus (Dharma Ransomware) - How to Remove It

.php Files Virus (Dharma Ransomware) – How to Remove It

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)


In this article, you will find more information about .php files virus as well as a step-by-step guide on how to remove malicious files from an infected system and how to potentially recover .php files.

The ransomware which has been given the name .php files virus is reported to be a strain of one of the biggest ransomware families called Dharma. Its name is a derivative of the specific extension it uses for marking encrypted files. Once this threat manages to run its infection files on your computer it interferes with essential system settings which in turn seriously disrupts operating system’s security. As a result, the ransomware performs a data encryption stage without being detected by active security measures. At the end of the attack, .php cryptovirus creates a ransom note file to inform about its presence. The primary goal of its ransom message, however, is to force you into paying a ransom fee to cybercriminals. Since there is no guarantee that hackers will keep their promises, we recommend that you should avoid their instructions.

Threat Summary

Name.php Files Virus
TypeRansomware, Cryptovirus
Short DescriptionA version of the CrySyS/Dharma ransomware that is designed to encrypt valuable files stored on infected computers and then extort a ransom from victims.
SymptomsImportant files are encrypted and renamed with the extension .php
A ransom note appears on PC screen to present ransom payment instructions.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .php Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .php Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.php Files Virus – Distribution and Impact

Typically, hackers attempt to infect users’ computers by tricking them into running the malicious code by their selves. A common spread technique known to be used for the delivery of malicious code is the malspam. Malspam is realized via massive spam email campaigns that could be targeting online users worldwide. Oftentimes, the emails that are part of malspam campaigns pose as representatives of legitimate websites, services, and even governmental institutions.

Another trait that signifies for a malicious email is the presence of an attachment file. This file could be stated to be a document, an archive, an image, a PDF or another well-known file format. The load of such a file on the device results in the activation of the malicious code it contains. Hence, it triggers the ransomware infection.

Another trait that may help for the detection of an email that is part of malspam campaign is a URL address be it presented in the form of an in-text link, button, coupon, banner, image or another clickable form. A load of this URL address in your browser could result in the unnoticed execution of ransomware payload on the background.

As of .php files virus, it has recently been spotted in the wild. According to security researchers’ analyses the threat belongs to the infamous ransomware family Dharma.

Once loaded on the computer, Dharma .php virus interferes with essential system settings in order to evade detection and complete all attack stages.

One system component that is likely to be affected by the ransomware is the Registry Editor. The registry keys Run and RunOnce are among the most targeted ones. This could be explained by the fact that these registry keys manage the automatic execution of certain files. So when affected by .php virus they will be automatically loading its malicious files too. Below are listed their directories:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

The primary goal of .php files virus is to find specific types of files stored on computer drives and then leave them out of order by encrypting their code. For the purpose it activates a built-in encryption module that is set to use a strong cipher algorithm every time it detects a target file. The encrypted files could be:

  • Audio files
  • Video files
  • Document files
  • Image files
  • Backup files
  • Banking credentials, etc

Encrypted files could be recognized by the extension .php that appears appended to their names. By corrupting valuable files, Dharma .php aims to convince you to pay hackers a ransom fee.

So it drops a ransom message file on the infected PC and loads it on the screen. At this point, there is no information about the exact amount of the demanded ransom. However, it is likely that hackers will require it to be transferred in cryptocurrency like Bitcoin.

We advise you to avoid contacting hackers and paying them the ransom. There is no guarantee that they possess a working decrypter for your .php files.

Keep reading to find some data alternative methods that are secure and may be useful as well.

Remove .php Files Virus and Restore Data

The so-called .php files virus is a threat with highly complex code designed to corrupt both system settings and valuable data. So the only way to use your infected computer in a secure manner again is to remove .php virus with all its malicious files and objects from the computer system. For the purpose, you could use our removal guide that reveals how to clean and secure your system step by step. You will also be presented with several alternative data recovery approaches that may be helpful in attempting to restore .php files. We remind you to back up all encrypted files to an external drive before the recovery process.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for three years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share