Remove Dharma Ransomware and Restore .dharma Encrypted Files - How to, Technology and PC Security Forum |

Remove Dharma Ransomware and Restore .dharma Encrypted Files

dharma-ransomware-main-dharma-parody-sensorstechforum-funnyHow to remove Dharma Ransomware and restore your file ? Read all details and removal methods below. The virus encrypts the files on the compromised computers after which appends the .dharma file extension along with a unique identifier to them. Whether or not it is created based on the Dharma and Greg TV series it is yet to be confirmed but the ransomware sure does remind of it. After encryption, it extorts the users of the infected computer to make a payment and recover the .dharma files which have been encrypted and can no longer be opened. In case you have become an unfortunate victim of the Dharma virus, we advise you to backup the encrypted files and read the following article to learn how to remove Dharma and try to restore your files.

Update! Malware researchers have discovered that Dharma ransomware is a part of the CrySiS ransomware family. Decryption instructions for this virus can be found below.

Threat Summary



Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” linking to a web page and a decryptor. Changed file names and the file-extension .dharma has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Dharma


Malware Removal Tool

User ExperienceJoin our forum to Discuss Dharma.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Dharma Ransomware – How Does It Replicate

Users on security forums report that the malware has been infecting multiple computers on office networks, suggesting that the virus may not only be spread to home computers, but also attack organizations as well. This can be done in a number of ways:

  • A “dropped” flash drive that may directly cause the infection after being inserted in one office computer.
  • A worm-like features that aim to replicate the malware automatically from one system to another in a home or office network.
  • Massive spam campaigns that target the office network or multiple different computers with phishing e-mails and malicious e-mail attachments added to them.

Whatever the case of Dharma ransomware may be, the virus may be spread massively and may be a variant that has come up from either an open source project or someone may have purchased it’s source code in the dark net.

The Dharma ransomware was also undetected by most conventional antivirus programs, suggesting that the virus may use a sophisticated obfuscator that allows execution without detection.

More Information about Dharma Ransomware

As soon as the user is on the malicious URL or opens a malicious attachment that is carrying the infection vector of Dharma ransomware, the ransomware is automatically executed and it begins to immediately inject commands in the legitimate Windows processes, like svchost.exe and explorer.exe. The ransomware may initially delete any shadow volume copies or other backups on the computer, running the vssadmin command in concealed mode:


After deleting all the file history, the Dharma virus may begin to add custom registry values with data in the Run and RunOnce 3Windows Registry subkeys. This data is usually configured with settings to make the malicious files of the virus run and begin encrypting:

  • Documents.
  • Pictures.
  • Audio files.
  • Video files.
  • Database types of files.
  • Various files associated with often used programs, like VMware, Photoshop, etc.
  • Microsoft Office files.
  • Adobe Reader .PDF’s.

After the virus completes the encryption, during which the computer’s explorer.exe process may enter a ‘Not Responding’ state, it appends e-mail address of the cyber-criminals and the .dharma file extension to the encrypted files, which can no longer be opened. Then a unique decryption key is generated which is believed to be sent out to the command and control servers of the cyber-criminals. The encrypted files look like the picture below after the process is complete:


Remove Dharma Ransomware and Decrypt .Dharma Files

The conclusion for the Dharma virus is that the threat may be either developed by someone with coding skills who took an open source code or be a part of a ransomware as a service (RAAS) scheme. So far it is difficult to tell, but it may be an iteration of Shade or Globe ransomware. Whatever the case may be, we will update this article with more information if a decryptor is released. This is why we advise you to backup your files and use the instructions in this article to remove Dharma ransomware. After them you can find the decryption instructions for the .dharma encrypted files.

In order to remove the virus, we have posted below steps on how to achieve it manually, or unless you lack malware removal experience, how to do it swiftly and automatically with an anti-malware tool.

Manually delete Dharma from your computer

Note! Substantial notification about the Dharma threat: Manual removal of Dharma requires interference with system files and registries. Thus, it can cause damage to your PC. Even if your computer skills are not at a professional level, don’t worry. You can do the removal yourself just in 5 minutes, using a malware removal tool.

1. Boot Your PC In Safe Mode to isolate and remove Dharma files and objects
2.Find malicious files created by Dharma on your PC

Automatically remove Dharma by downloading an advanced anti-malware program

1. Remove Dharma with SpyHunter Anti-Malware Tool and back up your data

After already having removed this ransomware from your computer, it is time to focus on decrypting your files.

Method 1 for Decrypting Files Encrypted by Dharma Ransomware

The first method for the decryption of your files is to use ESET’s decryptor, which has been updated to decode files with the .dharma file extension. You can download it and save it on your desktop where you can easily find it by clicking on the button below:


ESET Crysis Decryptor

Then, open command prompt by typing “command prompt” on Windows search, after which right-clicking it and running it as an administrator.

After you have ran command prompt as an administrator, go to the folder %Desktop% by typing th following command as displayed:


In it type ESETCrysisDecryptor.exe and hit Enter. After this you will see the license terms. Simply accept them and then press Enter.

Now you can choose where you want to scan and to decrypt .dharma files on your computer. If you want to scan C: drive for example, you can typethe following command:

→esetcrysisdecryptor.exe C:

It will scan C: for .dharma files and attempt decryption.

Method 2 for Decrypting Files Encrypted by Dharma Ransomware

The second method for decryption has been provided by experts over at Kaspersky. They have updated the Rakhni decryptor for Crysis ransomware viruses to decrypt .dharma files.

After having removed Dharma from your computer, you should prepare your computer to not shut down automatically during decryption, since this process may take some time. To do this, please follow the following instructions:

1-Click once on the icon for the power (battery icon) in your system tray that is located next to your clock in the bottom right. After this, a menu will appear and on it click on More Power Options.
2-After the Power Options menu shows up, click on Change Plan Settings to open the settings.
3-In there, make sure you set everything from “Turn off the display” to “Put Computer to Sleep” in all modes to “Never”.
4-Now go to “Change Advanced Plan Settings” and go to the expanding “Hard Disk” setting from the list and set it’s settings to “Never” as well.

After you have prepared yourself, please follow these steps to start decrypting files:

Step 1: Download Kaspersky’s Rakhni Decryptor which supports Dharma Ransomware by clicking on the button below and saving it to your computer:


Kaspersky Rakhni Decryptor

Step 2: Open the executable file and click on the Start Scan button:


Step 3: Choose a file from the file explorer pop-up that will appear and click on Open. Make sure to choose a file that is smaller in size.


Now, the decryption process for your keys will begin. This may take from minutes to days, so please be patient. You will see a pop-up notifying you if a decryption has been successful or not.


Boyana Peeva

Boyana Peeva

Believes that the glass is rather half-full and that nothing is bigger than the little things. Enjoys writing, reading and sharing content – information is power.

More Posts - Website


  1. Thanasis I.

    What about .wallet files? The two decryptors don’t seem to fix them


      [[email protected]].wallet ….. it is not working foe this any idea ….

  2. Garret Cunningham

    esetcrysisdecryptor.exe works on .wallet tested and succeeded

  3. James oliver

    tried this on .arrow crysis and still no joy. the email address is becky.cely2[@] anyone any further info please?

  4. Carlos

    esetcrysisdecryptor.exe does not work for .arrow anyone have an update ??


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share