.bgtx Files Virus (Dharma Ransomware) - Retirar + Restaurar dados
REMOÇÃO DE AMEAÇAS

.bgtx Files Virus (Dharma Ransomware) - Retirar + Restaurar dados

This article is created with the main idea to help explain what is the latest Dharma Ransomware variant and how you can remove it plus restore .bgtx encrypted arquivos.

Dharma ransomware does not sleep and it has proven that again with a new dangerous variant that has been set loose. The new Dharma now appends the .bgtx file extension which it adds to the encrypted files and retains the extension format, like the older .combo variantFilename.id{ID-here}.[decrypt@fros.cc].bgtx. The new ransomware variant of Dharma aims to encrypt the files on your computer thus making them unable to be opened and then leaves behind a ransom note which aims to extort victims to pay ransom to get their files back. Se o seu computador foi infectado pelo .bgtx file variant of Dharma ransomware, we recommend that you read this article completely and learn how to remove this Dharma ransomware variant and how to try and restore files, criptografada por ele em seu PC.

Resumo ameaça

NomeDharma .bgtx Ransomware
Tiporansomware
Pequena descriçãoNovo Dharma / Crysis ransomware vírus. Uses sophisticated encryption to extort victims to pay in BitCoin for their encrypted files.
Os sintomasEncrypts documents, imagens, videos and other important files and adds the .bgtx file suffix plus a unique ID and the e-mail to pay the ransom.
distribuição MétodoOs e-mails de spam, Anexos de e-mail, arquivos executáveis
Ferramenta de detecção See If Your System Has Been Affected by Dharma .bgtx Ransomware

Baixar

Remoção de Malware Ferramenta

Experiência de usuárioParticipe do nosso Fórum to Discuss Dharma .bgtx Ransomware.
Ferramenta de recuperação de dadosWindows Data Recovery por Stellar Phoenix Aviso prévio! Este produto verifica seus setores de unidade para recuperar arquivos perdidos e não pode recuperar 100% dos arquivos criptografados, mas apenas alguns deles, dependendo da situação e se você tem ou não reformatado a unidade.


.combo Dharma RansomwareInformation Database:

.bgtx Dharma Virus - Métodos de infecção

.bgtx Dharma Virus – Métodos de infecção

Dharma ransomware is no ordinary virus, hence it uses no ordinary infection methods. The main indicator of compromise that has been detected to drop the malicious files of Dharma is reported at VirusTotal to have the following specifications to it:

SHA-256:7e623dca8a26a45440c331e383ac6ce3783d5c1bd60b91ee91ce0cc5841633e2
Tamanho do arquivo:219.5 KB

The file may be spread via different methods, but the main suspect is to be replicated via e-mail. This happens when the crooks carefully disguise an e-mail to contain a malicious attachment. Usually most attachments pretend to be .PDF or .docx files and they pose as legitimate files of great importance, por exemplo:

  • Order rejection details.
  • Invoice for a purchase
  • Receipt for something you may have bought.
  • Important security document from your bank.
  • Document from your boss or a collegue.

These e-mails are carefully made so that they appear to come from big companies, como FedEx, PayPal, LinkedIn or other big companies. Some of the e-mails pretend as If they come from a reputable person or someone on your e-mail list of contacts. The messages always urge to open the attachment as it is “very important”:

além disso, .bgtx Dharma virus is also detected to use a very complicated infection method, attaching russian-speaking tarets and disguising messages as some form of accounting information. The contents of the e-mails appear as if senders send some type of spreadsheet or data information that is important. The files are always attached to the message and if not, they are linked to an external Dropbox or other file-sharing account.

The crooks are also able to deliver archived files, which do contain files that pretend to be documents. When opened, they may automatically initiate connection with the payload download server or extract the payload of Dharma directly on the victim PC.

Além desta, a .bgtx variant of Dharma ransomware may also be spread via different programs that are uploaded on low-reputation sites, such as software cracks, manchas, ativadores de licença, loaders, portable versions of freeware apps and many other .exe files, so be careful and always check files before downloading them.


Dharma .bgtx Ransomware- atividade maliciosa

Dharma .bgtx Ransomware- atividade maliciosa

Dharma ransomware viruses have been active for significant time and they have gained quite the name for themselves as being one of the most widespread ones. They derive from the CrySiS ransomware family with the first Dharma variant, naturally carrying the .dharma file suffix it used to append to the files and the variant itself was decryptable. But the Dharma makers did not stop there and have now released a lot of other variants of the malware, most of which are not decryptable. Some of these variants can be seen below:

And now we come to this point, where the current Dharma variant uses the .bgtx file extension which it ads to the encrypted files alongside a new e-mail address.

After an infection with the .bgtx Dharma variant occurs, not much is changed in the malicious actions the virus performs on your computer:

  • Creation of several mutexes.
  • Creating value strings with custom data in Windows Registry Editor.
  • Deleting bakckups and shadow copy files.
  • Scheduling tasks to run maliciou files or it’s ransom note on startup.
  • Disabling restore points and system recovery.
  • Changing your wallpaper.
  • Modifying sysem files (touching).

Dharma .bgtx ransomware may also drop it’s malicious files under different, often random names in the commonly targeted Windows directories:


When Dharma ransomware has dropped it’s files, the malware also interferes with the Windows Registry Editor by creating registry value entries in the Run and RunOnce sub-keys of Windows Registry Editor. Eles têm a seguinte localização:

→ HKEY_CURRENT_USER Software Microsoft Windows CurrentVersion
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\

Quando Dharma .bgtx variant creates value strings in those sub-keys, the virus adds the location of the encryption file, so finding them is a crucial step towards finding where the malicious file of the malware is located.

Dharma .bgtx ransomware may also execute a script as an administrator in Windows Command Prompt. The script aims to delete the shadow volume copies in Windows and disable any backups. It may consist of the following commands:

→ VVS sc stop
wscsvc parada sc
parada WinDefend sc
wuauserv parar sc
BITS sc stop
sc stop ERSvc
sc stop WerSvc
cmd / C bcdedit / conjunto {padrão} recoveryenabled Não
cmd / C bcdedit / conjunto {padrão} ignoreallfailures bootstatuspolicy
C:\Windows System32 cmd.exe”/ C Vssadmin.exe Apagar Sombras / All / Quiet


Dharma .bgtx Ransomware Virus - Encryption

Dharma .bgtx Ransomware Virus – Encryption

When Dharma ransomware encrypts files, the virus may employ the Advanced Encryption Standard, also known as AES. The cipher uses an asymmetric key generation which produces a key that is then masked and cannot be read by the victim. The algorithm is a very tough one to decrypt as it’s classified as a Suite.B type of cipher, used by government agencies to encrypt files that are sensitive. The cipher could however be decrypted if there is a bug in the code of Dharma .bgtx that allows it do be done.

The encryption process of Dharma .bgtx ransomware begins with scanning for the specific file types the virus will encrypt. These file types include often used files, such as files with the following extensions:

“PNG PSD .PSPIMAGE .TGA THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .indd .PCT .PDF .xlr .XLS .XLSX .ACCDB .DB DBF MDB .PDB .SQL .apk Ficheiros .APP .BAT .CGI .COM .EXE .gadget .JAR .pif .wsf .dem .GAM NES .ROM .SAV CAD DWG DXF GIS .GPX .KML .kmz .ASP .ASPX .CER .CFM .csr .CSS .HTM .HTML .JS .jsp .PHP .rss .xhtml. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRFEncodedFiles .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJR.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”

Dharma ransomware may skip encrypting files in the folders we mentioned below, as they are system folders of Windows and the victim still needs his or her computer to pay the ransom:

  • %Local%
  • %temp%
  • %Janelas%
  • %Sistema%
  • %Arquivos de Programas%
  • %System32%

The encryption process itself comprises of several chain of actions that take place. To sum those up, Dharma simply creates a copy of your original file, which it encrypts and adds the .bgtx file extension plus a unique ID and the e-mail of the crooks(decrypt@fros.cc). Dharma ransomware then deletes the original file, leaving only the encrypted file, looking like the image below shows:


How to Remove Dharma and Restore .bgtx Encrypted Files

Removing Dharma ransomware does require some technical expertise. Isso é por que, before trying the removal yourself, we do advise that you cópia de segurança seus arquivos, even if they are encoded.

Para a remoção, you can follow the instructions we have prepared for you below and use them plus the data in this article to help you remove Dharma manually. If manual removal does not seem to help or you feel unsure that you have removed Dharma from your PC, the best method according to researchers is to remove the virus files, usando um programa anti-malware avançado. Such specific tool will try to scan for and automatically get rid of all Dhamra .bgtx – related files and objects and then erase them permanently. It also has protection mechanisms that will actively protect your PC against future intrusive programs or viruses.

Se você quiser decifrar arquivos, encrypted by Dharma, we strongly recommend that you follow the instructions in step “2. Try to restore files..” below. It is no guarantee to help you restore all of the files encrypted by this Dharma variant, but it may help you recover at least some of the files.

Avatar

Ventsislav Krastev

Ventsislav tem vindo a cobrir o mais recente de malware, desenvolvimentos de software e mais recente tecnologia em SensorsTechForum para 3 anos. Ele começou como um administrador de rede. Formado marketing bem, Ventsislav também tem paixão pela descoberta de novas mudanças e inovações em cibersegurança que se tornam mudanças do jogo. Depois de estudar Gestão da Cadeia de Valor e, em seguida, Administração de Rede, ele encontrou sua paixão dentro cybersecrurity e é um crente forte na educação básica de cada usuário para a segurança on-line.

mais Posts - Local na rede Internet

Me siga:
Twitter

Deixe um comentário

seu endereço de e-mail não será publicado. Campos obrigatórios são marcados *

limite de tempo está esgotado. Recarregue CAPTCHA.

Compartilhar no Facebook Compartilhar
Carregando...
Compartilhar no Twitter chilrear
Carregando...
Compartilhar no Google Plus Compartilhar
Carregando...
Partilhar no Linkedin Compartilhar
Carregando...
Compartilhar no Digg Compartilhar
Compartilhar no Reddit Compartilhar
Carregando...
Partilhar no StumbleUpon Compartilhar
Carregando...