.santa Files Virus (Dharma) – How to Remove It

.santa Files Virus (Dharma) – How to Remove It

This blog post has been made to explain what is the .santa file version of Dharma ransomware and how you can remove it plus restore files, encrypted by it on your computer.

A new variant of Dharma ransomware has surfaced around the winter holidays, carrying around the .santa file extension, which it adds to the encrypted files. The virus uses the e-mail newsantaclaus@aol.com for contact with the cyber-criminals in order to extort victims to pay ransom fee for their files which are encrypted by it. If your computer has been infected by this variant of CrySiS/Dharma ransomware, we recommend that you read this article thoroughly.

Threat Summary

NameDharma .santa Virus
TypeRansomware, Cryptovirus
Short DescriptionAims to encrypt the files on the computers infected by it and hold them hostage until ransom is paid by the victim to decrypt them and make them usable again.
SymptomsThe main symptoms are the .santa file extension and the newsantaclaus@aol.com e-mail used by the criminals.
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by Dharma .santa Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Dharma .santa Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Dharma .santa Ransomware – Distribution Methods

For the Dharma ransomware to infect a given computer, the people who spread it may use different methods of propagation. One of the most often used one is to take advantage of unsuspecting users by sending them e-mails that contain he infection file masked as a legitimate attachment, like:

  • Invoice.
  • Receipt for a purchase.
  • Banking document.
  • Other type of document.

In addition to this, Dharma ransomware may also infect users via other means, like upload the infection files on affected WordPress websites, where they may pretend to be:

  • Patches.
  • Portable programs.
  • Game cracks.
  • Software activators.
  • Key generators.

Dharma Ransomware .santa Variant – Activity

When Dharma’s .santa variant is dropped on the victim’s computer, the malware may drop its payload, which may reside in the following Windows directories:

  • %AppData%
  • %Local%
  • %LocalLow%
  • %Roaming%
  • %Temp%

When dropped, the malicious file of this ransomware may be executed and the outcome of this is that it may pefrorm the following malicious activities on the infected computer:

  • Create mutexes.
  • Create entries in the Registry Editor of Windows.
  • Delete backups.
  • Schedule tasks.
  • Disable Windows Recovery.
  • Change wallpapers.
  • Set ransom note to open automatically.
  • Modify Windows system files and objects.

The Dharma .santa ransomware may modify the Run and RunOnce Windows registry keys with the main idea to run the malicious files of the virus automatically. These sub-keys have the following Windows locations:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\

But this is not all. Dharma .santa virus may also delete the backed up files on the victims computers by executing the following commands as an administrator:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

Dharma .santa Ransomware – Encryption Process

This variant of Dharma ransomware may encrypt files that have the following file extensions:

→ .ebd, .jbc, .pst, .ost, .tib, .tbk, .bak, .bac, .abk, .as4, .asd, .ashbak, .backup, .bck, .bdb, .bk1, .bkc, .bkf,
.bkp, .boe, .bpa, .bpd, .bup, .cmb, .fbf, .fbw, .fh, .ful, .gho, .ipd, .nb7, .nba, .nbd, .nbf, .nbi, .nbu, .nco,
.oeb, .old, .qic, .sn1, .sn2, .sna, .spi, .stg, .uci, .win, .xbk, .iso, .htm, .html, .mht, .p7, .p7c, .pem, .sgn,
.sec, .cer, .csr, .djvu, .der, .stl, .crt, .p7b, .pfx, .fb, .fb2, .tif, .tiff, .pdf, .doc, .docx, .docm, .rtf,
.xls, .xlsx, .xlsm, .ppt, .pptx, .ppsx, .txt, .cdr, .jpe, .jpg, .jpeg, .png, .bmp, .jiff, .jpf, .ply, .pov, .raw,
.cf, .cfn, .tbn, .xcf, .xof, .key, .eml, .tbb, .dwf, .egg, .fc2, .fcz, .fg, .fp3, .pab, .oab, .psd, .psb, .pcx,
.dwg, .dws, .dxe, .zip, .zipx, .7z, .rar, .rev, .afp, .bfa, .bpk, .bsk, .enc, .rzk, .rzx, .sef, .shy, .snk, .accdb,
.ldf, .accdc, .adp, .dbc, .dbx, .dbf, .dbt, .dxl, .edb, .eql, .mdb, .mxl, .mdf, .sql, .sqlite, .sqlite3, .sqlitedb,
.kdb, .kdbx, .1cd, .dt, .erf, .lgp, .md, .epf, .efb, .eis, .efn, .emd, .emr, .end, .eog, .erb, .ebn, .ebb, .prefab,
.jif, .wor, .csv, .msg, .msf, .kwm, .pwm, .ai, .eps, .abd, .repx, .oxps, .dot.,/p>

In addition to this, the .santa variant od Dharma ransomware skips encrypting files if they are located in the following Windows directories, so that the victim can still use his or her computer to pay the ransom:

→ %Local%
%Program Files%

In order to encrypt the files on the victim computer, this variant of Dharma ransomware may create copies of those files and then delete the original versions of those files. In this way, the virus ensures that it becomes very difficult to recover your encrypted files. The encrypted files have the .santa file extension and they appear like the following:

Remove Dharma Ransomware and Restore .santa Files

If you want to remove the .santa variant of Dharma ransomware, we recommend that you follow the removal instructions underneath this article. They have been divided in manual as well as automatic removal instructions with the main idea in mind of helping you delete this virus according to your skillset. If manual removal does not work for you, experts always advise removing Dharma ransomware automatically, prefferably with the aid of an advanced anti-malware software. Such tool will effectively make sure that the virus files of this infection are automatically gone from your computer by detecting all related malicious objects and removing them.

If you want to try and restore files, encrypted by this version of Dharma ransomware, we recommend that you try the file recovery methods underneath. They have been created with the main idea to help you restore as many encrypted files as possible, but they may not be a 100% guarantee to recover all the files.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share