.bkpx Files Virus (Dharma) – Remove It

.bkpx Files Virus (Dharma) – Remove It

This blog post has been created to explain what is the .bkpx files variant of Dharma ransomware and how you can fully remove this ransomware from your computer plus how to try and recover files, having the .bkpx file extension.

Yet another Dharma ransomware variant has been detected in the wild, this time using the .bkpx file extension. The ransomware aims to convince users to pay hefty ransom in BitCoins in order to be able to use their files again. In addition to this, the ransomware also drops a Text file, called FILES ENCRYPTED.txt. If you want to remove the .bkpx variant of Dharma ransomware and see methods which could help recover some of your files, we recommend that you read this article thoroughly.

Threat Summary

Name.bkpx Dharma Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt your files and extort you into paying ransom to retrieve them.
Symptoms A ransom note, called FILES ENCRYPTED.txt is dropped onto the user PC. Files have the .bkpx file extension.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .bkpx Dharma Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .bkpx Dharma Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Dharma .bkpx Ransomware – Distribution

For the Dharma .bkpx ransomware to infect a computer, it may use a Trojan.Dropper infection file which may appear as a legitimate file of some sort. Such files are often sent to users via e-mails, like the following:

The e-mails may add the file as a seemingly legitimate e-mail attachment, whose main goal is to deceive the victim that it should be opened at any cost. Such files often end up to pose as:

  • Invoices.
  • Receipts.
  • Order documents.
  • Banking documents.

But this is not all the methods used to infect with viruses, like the .bkpx Dharma ransomware. The malware may also have it’s virus files uploaded on compromised WordPress sites or other suspicious sites, where it may pose as a file you are looking to download. Such files could be:

  • Setups of programs.
  • Portable programs.
  • Cracks.
  • Patches.
  • Key Generators.
  • License Activators.

Dharma Ransomware – Main Activity

As soon as Dharma ransomware has infected a computer the ransomware may immediately drop its payload. It may consist of more than one file and the malicious files may be located in the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

The Dharma ransomware also drops it’s FILES ENCRYPTED.txt ransom note file, which looks like the following:

The main ransom note of Dharma ransomware:

Contents of FILES ENCRYPTED.txt ransom note:

all your data has been locked
You want to return?
write e-mail Admin@decryption.biz or bigbro1@cock.li

Furthermore, the malware may also drop it’s main ransom note file, which appears in proximity to other variants of Dharma ransomware, with the main difference being the e-mails that are used:

In addition to this, Dharma ransomware’s .bkpx variant may also modify the Run and RunOnce windows registry sub-keys by adding value strings with data in them which will run the malicious files of the virus automatically. The sub-keys have the following locations:

→ HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Dharma ransomware is also the type of virus which will not leave your files to be recovered. The malware may delete the shadow volume copies on the computers, compromised by it. To do this, it may execute the following commands as an administrator in Windows Command Prompt:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

.bkpx Files Virus – Encryption Process

Dharma ransomware may encrypt the files on the compromised computers by looking for them, based on the file extensions they have. The .bkpx virus is careful not to encrypt files, located in the system folders of Windows, like System, System32 and other folders. The main files targeted by this ransomware virus are reported to be the following:

  • Videos.
  • Image files.
  • Archives.
  • Audio files.
  • Documents.

After the encryption, the files can no longer be opened, and they are appended the vicitm’s unique ID plus te e-mail for contact of the cyber-criminals and in addition to this, the extension .bkpx.

Files, encrypted by Dharma ransomware:

Remove Dharma Ransomware and Restore .bkpx Files

Before beginning the removal process of this variant of Dharma ransomware, we recommend that you backup all your files, just in case.

For the removal process of this virus variant of Dharma, we recommend that you follow the removal manual below. If the manual removal instructions do not seem to help in removing all of the Dharma virus files, experts strongly advise using an advanced anti-malware scanner. Such tool aims to fully detect and remove all associated objects with Dharma ransomware and will also ensure that you PC remains protected in the future too.

Furthermore, if you want to try and recover files, encrypted by this virus variant of Dharma, we recommend that you check out the “Try to restore” file recovery step underneath. It contains alternative methods via which you can attempt to restore at least some of your files, even though they may not be 100% effective.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share