Remove Dharma Ransomware and Restore .dharma Encrypted Files - How to, Technology and PC Security Forum |

Remove Dharma Ransomware and Restore .dharma Encrypted Files

dharma-ransomware-main-dharma-parody-sensorstechforum-funnyHow to remove Dharma Ransomware and restore your file ? Read all details and removal methods below. The virus encrypts the files on the compromised computers after which appends the .dharma file extension along with a unique identifier to them. Whether or not it is created based on the Dharma and Greg TV series it is yet to be confirmed but the ransomware sure does remind of it. After encryption, it extorts the users of the infected computer to make a payment and recover the .dharma files which have been encrypted and can no longer be opened. In case you have become an unfortunate victim of the Dharma virus, we advise you to backup the encrypted files and read the following article to learn how to remove Dharma and try to restore your files.

Update! Malware researchers have discovered that Dharma ransomware is a part of the CrySiS ransomware family. Decryption instructions for this virus can be found below.

Threat Summary



Short DescriptionThe malware encrypts users files using a strong encryption algorithm, making direct decryption possible only via a unique decryption key available to the cyber-criminals.
SymptomsThe user may witness ransom notes and “instructions” linking to a web page and a decryptor. Changed file names and the file-extension .dharma has been used.
Distribution MethodVia an Exploit kit, Dll file attack, malicious JavaScript or a drive-by download of the malware itself in an obfuscated manner.
Detection Tool See If Your System Has Been Affected by Dharma


Malware Removal Tool

User ExperienceJoin our forum to Discuss Dharma.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Dharma Ransomware – How Does It Replicate

Users on security forums report that the malware has been infecting multiple computers on office networks, suggesting that the virus may not only be spread to home computers, but also attack organizations as well. This can be done in a number of ways:

  • A “dropped” flash drive that may directly cause the infection after being inserted in one office computer.
  • A worm-like features that aim to replicate the malware automatically from one system to another in a home or office network.
  • Massive spam campaigns that target the office network or multiple different computers with phishing e-mails and malicious e-mail attachments added to them.

Whatever the case of Dharma ransomware may be, the virus may be spread massively and may be a variant that has come up from either an open source project or someone may have purchased it’s source code in the dark net.

The Dharma ransomware was also undetected by most conventional antivirus programs, suggesting that the virus may use a sophisticated obfuscator that allows execution without detection.

More Information about Dharma Ransomware

As soon as the user is on the malicious URL or opens a malicious attachment that is carrying the infection vector of Dharma ransomware, the ransomware is automatically executed and it begins to immediately inject commands in the legitimate Windows processes, like svchost.exe and explorer.exe. The ransomware may initially delete any shadow volume copies or other backups on the computer, running the vssadmin command in concealed mode:


After deleting all the file history, the Dharma virus may begin to add custom registry values with data in the Run and RunOnce 3Windows Registry subkeys. This data is usually configured with settings to make the malicious files of the virus run and begin encrypting:

  • Documents.
  • Pictures.
  • Audio files.
  • Video files.
  • Database types of files.
  • Various files associated with often used programs, like VMware, Photoshop, etc.
  • Microsoft Office files.
  • Adobe Reader .PDF’s.

After the virus completes the encryption, during which the computer’s explorer.exe process may enter a ‘Not Responding’ state, it appends e-mail address of the cyber-criminals and the .dharma file extension to the encrypted files, which can no longer be opened. Then a unique decryption key is generated which is believed to be sent out to the command and control servers of the cyber-criminals. The encrypted files look like the picture below after the process is complete:


Remove Dharma Ransomware and Decrypt .Dharma Files

The conclusion for the Dharma virus is that the threat may be either developed by someone with coding skills who took an open source code or be a part of a ransomware as a service (RAAS) scheme. So far it is difficult to tell, but it may be an iteration of Shade or Globe ransomware. Whatever the case may be, we will update this article with more information if a decryptor is released. This is why we advise you to backup your files and use the instructions in this article to remove Dharma ransomware. After them you can find the decryption instructions for the .dharma encrypted files.

In order to remove the virus, we have posted below steps on how to achieve it manually, or unless you lack malware removal experience, how to do it swiftly and automatically with an anti-malware tool.

Boyana Peeva

Boyana Peeva

Believes that the glass is rather half-full and that nothing is bigger than the little things. Enjoys writing, reading and sharing content – information is power.

More Posts


  1. AvatarThanasis I.

    What about .wallet files? The two decryptors don’t seem to fix them


      [].wallet ….. it is not working foe this any idea ….

  2. AvatarGarret Cunningham

    esetcrysisdecryptor.exe works on .wallet tested and succeeded

  3. AvatarJames oliver

    tried this on .arrow crysis and still no joy. the email address is becky.cely2[@] anyone any further info please?

  4. AvatarCarlos

    esetcrysisdecryptor.exe does not work for .arrow anyone have an update ??


Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share