.Bear Files Virus (Dharma) - How to Remove It

.Bear Files Virus (Dharma) – How to Remove It

remove .Bear files virus dharma ransomware restore files sensorstechforum

This article explains what issues occur in case of infection with .Bear files virus and provides a detailed guide on how to remove malicious files and how to potentially recover files encrypted by this ransomware.

A ransomware dubbed .Bear files virus has been spotted in the wild. As identified by security researchers it is a strain of the infamous Dharma crypto virus. When its payload file is started on a target system it triggers a series of malicious modifications in order to reach the main infection stage – data encryption. During encryption process the ransomware utilizes sophisticated cipher algorithm to encode valuable files stored on the compromised device. Following encryption you could not access the information stored by corrupted files. How you could recognize these files is by the specific string of extensions appended to their original names. This string ends with the extension .Bear. In addition, a ransom message contained in the file FILES ENCRYPTED.txt pop-ups on the screen in an attempt to force you to contact hackers for further details.

Threat Summary

Name.Bear Files Virus
TypeRansomware, Cryptovirus
Short DescriptionA variant of Dharma ransomware that encrypts valuable data and restricts the access to it.
SymptomsImportant files are corrupted and renamed with a sequence of extensions that ends with the extension .Bear. Ransom message urges you to contact hackers for files restoration instructions.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .Bear Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .Bear Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Scarab-Walker Ransomware – Overview

An infection with .Bear files virus is triggered when its payload is started on the system. Its code is designed to access various system components and plague some of their settings. As a result the ransomware becomes able to evade active security measures and complete the attack to its very end. One of its purposes is likely to be persistent presence on the system. For its completion .Bear virus may add malicious valued under specific registry sub-keys stored in the Registry Editor.

Registry sub-keys affected by this strain of Dharma ransomware are likely to be Run and RunOnce. This could be explained by the fact that they manage the automatic execution of all files and objects that are essential for the proper system load. Eventually, when there are ransomware values under these keys, its infection files are executed each time you start your system. So it is highly advisable to check the following registry paths for malicious entries and clean them in order to be able to use safely your system again:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

At the end of the attack when .Bear crypto virus is ready with all system modifications it drops a TXT file called FILES ENCRYPTED.txt and opens it on the screen. This file contains a ransom message that urges you to contact hackers at Grizzly@airmail.cc in order that you could receive instructions on how to act further. Here is the whole message:

all your data has been locked us
You want to return?
Write email Grizzly@airmail.cc or Grizzlymail@qq.com

Below you could also see an additional message that is associated with the same ransomware infection:

Grizzly@airmail.cc .Bear files virus ransom message sensorstechforum

At this point, there is no information about the amount of the demanded ransom but the guesses are that it should be transferred in Bitcoin. Beware that even ransom payment does not guarantee files restoration. Only a single bug in the code of the threat may lead to the generation of broken decryption key. So we recommend you to attempt to restore .Bear files with the help of alternative recovery methods.

Remove .Bear Files Virus and Restore Data

The so-called .Bear files virus is a threat with highly complex code that plagues not only your files but your whole system. So you need to clean and secure your infected system properly before you could use it regularly again. Below you could find a step-by-step removal guide that may be helpful in attempting to remove this .Bear Dharma ransomware. Choose the manual removal approach if you have previous experience with malware files. If you don’t feel comfortable with the manual steps select the automatic section from the guide. Automatic steps enable you to check the infected system for ransomware files and remove them with a few mouse clicks.

In order to keep your system safe from ransomware and other types of malware in future, you should install and maintain a reliable anti-malware program. Additional security layer that could prevent the occurrence of ransomware attacks is

anti-ransomware tool.

Make sure to read carefully all details mentioned in the step “Restore files” if you want to understand how to fix encrypted files without paying the ransom. Beware that before data recovery process you should back up all encrypted files to an external drive as this will prevent their irreversible loss.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for four years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share