.vanss Files Virus (Dharma Ransomware) – Remove It

.vanss Files Virus (Dharma Ransomware) – Remove It

This article has been created to help explain what is the .vanss variant of Dharma/CrySyS ransomware virus and how you can remove it plus how you can try and restore files, encrypted with the .vanss file extension.

With another week upon us, there has been another variant of Dharma ransomware released in the wild, this time using the .vanss file extension which is added to the encrypted files. The virus is from a ransomware type, which means that it encrypts the files on your computer, leaving them in a state which prevents you from opening them, until you pay ransom. This virus also includes two ransom notes being added. The notes, are FILES ENCRYPTED.txt and Info.hta and their main purpose is to give instructions how the victims can pay ransom to get their files back. If your PC has become a victim of this nasty virus, we recommend that you read this article.

Threat Summary

Name.vanss Dharma Virus
TypeRansomware, Cryptovirus
Short DescriptionA variant of Dharma ransomware. Aims to encrypt the files on the victims’ comptuers, then extort them for ransom payment in BitCoin.
SymptomsInfo.hta and FILES ENCRYPTED.txt start to appear on your PC. The files are encrypted with the file extension – id-{random ID}.[Blacklist@cock.li].vanss
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .vanss Dharma Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .vanss Dharma Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Dharma .vanss Ransomware – Distribution Methods

To be widespread and infect computers effectively, the ones who spread this variant of Dharma ransomware may use different devious tactics. One of them is to spread the virus via an infection file that is added as an extension on spammed e-mail messages. Such types of files usually pose to be legitimate documents, like an invoice, a receipt or a banking statement. The e-mails are often set up to imitate legitimate messages from big companies, like PayPal, eBay, Amazon, LinkedIn, DHL, FedEx and even banks, for example:

In addition to via e-mail, the malicious files may also be uploaded on hoax or compromised WordPress websites, in the form of different exectutables, like;

  • Game or program patches or cracks.
  • Key generators.
  • License activators.
  • Installers.
  • Portable versions of programs.

In addition to this, the files that have been dropped may also be self-extracting archives or JavaScript files that may be uploaded in downloading scripts that are embedded on malicious URLs. This means that you may have become infected with Dharma ransomware by opening a web link that leads to automatic download and install of the infection file.

Dharma .vanss Ransomware – Analysis

The main malicious file of Dharma’s .vanss variant has been reported in VirusTotal to have the following technical specifications:

→ MD5:e86893b92eca6e8dfbcfb9bbc08ee973
Type:Win32 EXE
Size:4.72 MB

Once dropped on the victimized machine, the Dharma .vanss virus begins to interact with the following system files in Windows:

→ KERNEL32.dll

The .vanss variant of Dharma uses those .dll Windows files to import the following functions:

• LocalFree
• GetProcessAffinityMask
• LocalAlloc
• GetModuleHandleA
• GetModuleFileNameW
• VirtualQuery
• FreeLibrary
• ExitProcess
• Sleep
• SetThreadAffinityMask
• SetProcessAffinityMask
• GetProcAddress
• LoadLibraryA
• GetProcessWindowStation
• GetUserObjectInformationW
• WTSSendMessageW

The Dharma ransomware then may interact with the following Windows files in System32:

→ C:\WINDOWS\system32\winime32.dll

In addition to this, Dharma ransomware also modifies multiple registry sub-keys in Windows:

→ \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\996E.exe
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ole32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oleaut32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\version.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\comctl32.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SHELL32.dll

Among the activities of the .vanss Dharma ransomware is to also drop it’s ransom note, called Info.hta on the victim PC. The note looks like the following when opened:

Dharma .vanss Ransomware – Encryption Process

Similar to the previous versions of Dharma ransomware, this one does not cheat the tradition and adds various differnent functions that skip encrypting files in the key Windows directories, like:

  • %System%
  • %System32%
  • %Windows%
  • %ProgramData%
  • %AppData%

This is done with the main purpose of leaving Windows active so that the victim can use the PC to pay ransom, which we highly advise against doing.

Dharma ransomware may then scan for the files it aims to encrypt by looking for them, based on their file extensions. The most targeted files naturally are the most commonly used ones, for example:

  • Pictures.
  • Videos.
  • Audio files.
  • Archives.
  • Virtual Drives.
  • Backups.

The virus then may use the AES encryption algorithm to encrypt your files. It may create encrypted copies of the files and delete the original ones or directly attack the files themselves. After the .vanss version of Dharma ransomware is done with your files, the malware generates an asymmetric decryption key, which is also encrypted so that only the crooks can use it to recover your files. The file name is also modified and has it’s file icon stripped down from it. Files, encrypted by .vanss Dharma ransomware look like the following:

Remove Dharma Ransomware and Try Restoring .vanss Files

Before beginning any removal process of this iteration of Dharma, we recommend that you do a backup of your files, just in case.

If you want to remove this virus, you can try doing so by following the removal instructions that are underneath this article. They have been made with the main goal of helping you delete the virus files and objects of Dharma ransomware either manually or automatically. If manual removal Is not something you feel confident in doing, then most security experts would advise you to run a scan of your PC, using an advanced anti-malware program. Such software will scan your computer to look for all malicious files and objects, that may be related to this virus and remove them from your computer, plus secure it against future infections.

If you want to restore files, you can try doing so b following the alternative methods for file recovery underneath. They are located in step “4. Try to Restore files encrypted by .vanss Dharma Virus”. They may not be a 100% guarantee that you will be able to restore all of your encrypted files, but with their aid, you may be able to recover some or most of your files, depending on the situation.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share