.risk Files Virus (Dharma) - How to Remove It

.risk Files Virus (Dharma) – How to Remove It

remove Dharma .risk ransomware virus sensorstechforum removal guide

This article explains the issues that occur in case of infection with .risk files virus and provides a complete guide on how to remove malicious files and how to potentially recover files encrypted by this ransomware.

The appearance of .risk extension in the names of your valuable files is a sure sign of ransomware infection. This threat was detected in the wild by security researchers. It is dubbed .risk files virus apparently after its associated extension. As identified in the course of its analysis it belongs to the Dharma ransomware family. The fact that your files are corrupted and inaccessible is used by cyber criminals as a precondition for the extortion of ransom payment.

Threat Summary

Name.risk Files Virus
TypeRansomware, Cryptovirus
Short DescriptionA version of the CrySyS/Dharma ransomware that is designed to encrypt valuable files stored on infected computers and then extort a ransom from victims.
SymptomsImportant files are encrypted and renamed with the extension .risk. A ransom note appears on PC screen to present ransom payment instructions.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by .risk Files Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .risk Files Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

.risk Files Virus – Distribution

Hackers who stand behind the launch of this devastating threat are likely to use at least one of the most commonly used spread channels.

One way to deliver .risk files virus to users’ devices is definitely malspam. Malspam is a technique that enables hackers to spread malicious software via spam email campaigns. And there are several specific traits of these emails. The first one is a spoofed email address, sender or both. These emails are often designed to present the names of representatives of well-known companies in order to look trustworthy and eventually trick you into installing the ransomware on your device. Another trait that should always warn you that something may get wrong is the presence of file attachment. There are many registered cases of infected users who had made the mistake to open a malicious file attachment on their devices which resulted in the activation of malicious code. The last trait of an email that attempts to deliver ransomware is URL address presented as an in-text link, button, image, banner or another clickable element.

In fact, URLs that land on infected web pages could be spread across other channels except email. Among them are different social media platforms, forums, and sometimes comments under articles. As a result of visiting such a page, you unnoticeably activate a malicious script that is part of its code and eventually grant the ransomware access to your device.

.risk Files Virus – Overview

The ransomware dubbed .risk files virus infects computer systems in order to reach target types of files and encode them with the help of sophisticated cipher algorithm. It has been identified as another strain of the infamous Dharma ransomware. Recently lots of iterations of the same ransomware family have been detected in the wild. Among the last reported by our team are

.war, .cccmn, and .adobe.

Like its predecessors, the .risk variant of Dharma ransomware interferes with system settings in order to become able to complete the attack. It passes through several infection stages fist of which is the establishment of malicious files on the system. For it the ransomware could be either set to create needed files directly on the system or to connect its command and control server and download the additional malicious files. Folder locations that may be used for the storage of these malicious files are:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%
  • %Windows%

Malicious traits could also be found under the registry sub-keys Run and RunOnce. The most common reason why these two keys are often hit by ransomware is their functionality to auto-execute files and processes. Once .risk crypto virus manages to add its malicious values under these keys its infection files load along with all other essential files on each system start. Here are the exact locations of Run and RunOnce sub-keys:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

When .risk files virus completes all initial system modifications its’s time for it to load its built-in encryption module and eventually encode target data. Among target files could be all of the following:

  • Audio files
  • Video files
  • Document files
  • Image files
  • Backup files
  • Banking credentials, etc

During encryption, .risk ransomware transforms the original code of target files with the help of strong cipher algorithm such as AES and RSA. Then it marks each corrupted file with the extension .risk. Unfortunately, all .risk files remain inaccessible until an efficient recovery method reverts back their code. This fact enables threat actors to extort a ransom payment from you. How they do this is via ransom message created on your device. The text of this message is likely to force you into contacting hackers so they can send you further instructions of the ransom payment. What they could want is an amount from 0.1 to 1.0 Bitcoin.

The good news is that hackers’ decrypter is not the only tool that could restore .risk files. To find more alternatives complete the removal process and check the restore data part of the guide that follows.

Remove .risk Files Virus and Restore Data

The so-called .risk files virus is a threat with highly complex code that plagues not only your files but your whole system. So infected system should be cleaned and secured properly before you could use it regularly again. Below you could find a step-by-step removal guide that may be helpful in attempting to remove this ransomware. Choose the manual removal approach if you have previous experience with malware files. If you don’t feel comfortable with the manual steps select the automatic section from the guide. Steps there enable you to check the infected system for ransomware files and remove them with a few mouse clicks.

In order to keep your system safe from ransomware and other types of malware in future, you should install and maintain a reliable anti-malware program. Additional security layer that could prevent the occurrence of ransomware attacks is

anti-ransomware tool.

Make sure to read carefully all the details mentioned in the step “Restore files” if you want to understand how to fix encrypted files without paying the ransom. Beware that before data recovery process you should back up all encrypted files to an external drive as this will prevent their irreversible loss.

Gergana Ivanova

Gergana Ivanova

Gergana has completed a bachelor degree in Marketing from the University of National and World Economy. She has been with the STF team for four years, researching malware and reporting on the latest infections.

More Posts

Follow Me:
Google Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share