.betta Dharma Ransomware – How to Remove It
THREAT REMOVAL

.betta Dharma Ransomware – How to Remove It

This article has been created in order to explain how you can remove Dharma ransomware’s .betta files variant from your computer and how you can try and restore .betta encrypted files.

And here we are, covering yet another variant of the Dharma ransomware virus – a malware strain which aims to get users to pay a hefty ransom fee in return for their personal files. The ransomware virus aims to use advanced encryption after it infects users’ computers and then use this encryption to extort victims for their files. The files, which are encrypted carry the .betta file extension in the following format – filename.id-93H2310.[ backtonormal@foxmail.com].betta. After the encryption is done,Dharma also drops a ransom note file, which aims to notify the victims of what has happened to their files. If your computer has been infected by this variant of Dharma ransomware, please read this article as it will help you remove this Dharma variant and show you how you can try to restore files, encrypted by it.

Threat Summary

Name.betta Dharma Virus
TypeFile Encryption Ransomware
Short DescriptionA new iteration of the Dharma/CrySiS ransomware viruses. Utilizes sophisticated encryption mode on data of infected machines in order to extort victims to pay in BitCoin for their encrypted files.
SymptomsEncrypts documents, images, videos and other important files and adds the .betta file suffix plus a unique ID and the e-mail to pay the ransom.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .betta Dharma Virus

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .betta Dharma Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.


.betta Dharma Ransomware – Information Database:

.betta Dharma Virus - How Does It Infect

.betta Dharma Virus – How Does It Infect

Various methods in relation to Dharma ransomware virus have been detected so far. One of them is to spread the virus via spammed e-mail messages. Such e-mails may pretend to be various legitimate types of files:

  • Invoices.
  • Receipt.
  • Important banking document.
  • Password change notification.
  • Other important files.

These e-mails may be created in a very cunning way, for example, they may imitate e-mails that may be coming from legitimate types of organizations, like:

  • eBay.
  • PayPal.
  • Dropbox.
  • Banks and companies.

The primary malicious file that has been detected(https://www.virustotal.com/#/file/1b1fdf8bc5d2d39ac6e90aba18b44f6cc4fe26c93bcf09ce1d98793b1c1f132f/behavior) in association with Dharma ransomware to be with the following indicators of compromise:

→ SHA-256: 1b1fdf8bc5d2d39ac6e90aba18b44f6cc4fe26c93bcf09ce1d98793b1c1f132f
Size: 624 KB

Besides via e-mail, the infection may also be spread as a result of being uploaded on various suspicious sites in the form of a malicious JavaScript web link and redirect. This is very typical for compromised sites that cause numerous redirections or for adware programs that may have affected your computer.

If spread by a file, that is uploaded online, the malicious infection module of Dharma may pose as some sort of a game patch, software activator, crack, key generator, portable program and other forms of seemingly useful programs.


Dharma .betta Virus - Activity

Dharma .betta Virus – Activity

Once installed on the victim’s computer, the Dharma ransomware’s .betta variant may act in very close way to the other variants of Dharma, belonging to the .cezar family. So far, we have been covering Dharma ransomware for quite some time now and there have been a lot of iterations of the virus with new one being released each week:

After an infection with Dharma’s .betta variant takes place, the malware may drop it’s payload in the following Windows Directories:

  • %AppData%
  • %Local%
  • %Roaming%
  • %LocalLow%
  • %Temp%

The files that are dropped may have different file names and these names are often random ones.

Once the virus has dropped it’s main payload, it begins it’s malicious activities. For starters, Dharma ransomware opens and interacts with the following Windows files to likely obtain administrator rights:

→ C:\WINDOWS\system32\winime32.dll
C:\WINDOWS\system32\ws2_32.dll
C:\WINDOWS\system32\ws2help.dll
C:\WINDOWS\system32\psapi.dll
C:\WINDOWS\system32\imm32.dll
C:\WINDOWS\system32\lpk.dll
C:\WINDOWS\system32\usp10.dll
C:\WINDOWS\system32\comctl32.dll
C:\WINDOWS\system32\shell32.dll
C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.5512_x-ww_35d4ce83\comctl32.dll
C:\WINDOWS\WindowsShell.Manifest
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\MSCTFIME.IME

Once this is done, the .betta Dharma ransomware may also open and modify the following Windows Registry sub-keys:

→ \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe
\Registry\MACHINE\System\CurrentControlSet\Control\SafeBoot\Option
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled
\REGISTRY\USER\S-1-5-21-1482476501-1645522239-1417001333-500\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oleaut32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\version.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll

But Dharma ransomware does not stop there. The ransomware is also clever enough to open the ShimCacheMutex and also create the following mutexes:

→CTF.LBES.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Compart.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Asm.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.Layouts.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TMD.MutexDefaultS-1-5-21-1482476501-1645522239-1417001333-500
CTF.TimListCache.FMPDefaultS-1-5-21-1482476501-1645522239-1417001333-500MUTEX.DefaultS-1-5-21-1482476501-1645522239-1417001333-500

When done, the Dharma ransom virus also loads the following Runtime modules:

→ imm32.dll
Cmctl32.dll
C:\WINDOWS\system32\MSCTF.dll
C:\WINDOWS\system32\ msctfime.ime
C:\WINDOWS\system32 \ole32.dll

Among the files dropped by Dharma ransomware’s .betta virus variant is the malware’s ransom note file, which looks like the following:


Dharma .betta Ransomware - Encryption

Dharma .betta Ransomware – Encryption

Just like other Dharma variants, this version for the virus also skips encrypting files in important Windows directories, like:

  • %System%
  • %Local%
  • %Temp%
  • %Windows%
  • %System32%
  • %Program Files%

To encrypt the files, the .betta version of Dharma ransomware first scans for the files it aims to encrypt. The virus looks for often used files and targets them based on their file extensions:

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRFEncodedFiles .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJR.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”

Once Dharma ransomware has detected the files it wants to encrypt, the virus then applies the Advanced Encryption Standard cipher, also known as AES encryption. This cipher generates a unique asymmetric encryption key, the outcome of which is that the file can no longer be opened. After encryption, Dharma ransomware leaves the files looking like the following image:


Remove Dharma Ransomware and Restore .betta Encrypted Files

Before starting the removal process of Dharma ransomware, be prepared for anything and always backup your files!

In order to remove this virus variant of Dharma ransomware, we would recommend that you follow the removal instructions underneath this article. They have been divided in manual and automatic removal methods with the main purpose of giving you the opportunity to try the removal yourself. If however, you do not feel confident that you will be able to remove this variant of Dharma ransomware in full or if you lack the malware removal experience the most suitable approach according to security researchers is to use an advanced anti-malware software for automatic removal.

If you want to try and restore files, encrypted by Dharma ransomware, we recommend that you read the alternative methods for file recovery in step “4. Try to Restore files encrypted by .betta Dharma Virus” underneath. They may not be a 100% working file recovery solution, but with their aid you may be able to recover some or most of your files.

Avatar

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:
Twitter

1 Comment

  1. Avataralfredo ramirez

    como recupero los archivos?

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...