Severity scale  
  (99/100)

Dharma ransomware virus. How to Remove? (Uninstall Guide)

removal by - -   | Type: Ransomware
12

Recovering from the failure: a new variant of Dharma ransomware emerged

At the beginning of 2017, it seemed the era of Dharma ransomware came to an end because of the leak of the decryption software. However, after a couple of months of silence, a new variant of the virus has been spotted - .onion file extension virus. It's early to talk about the damage of this variant; however, it seems that developers of the malware recovered from the failure and decided to strike again. Dharma first caught malware analysts' attention in November 2016.[1] In the beginning, many speculations emerged about this cyber infection. Experts were discussing weather this virus is an original creation of ransomware developers or just a newer version of some larger family of crypto ransomware. Also, could it be as dangerous as Locky virus?[2] Since the appearance of Dharma ransomware, experts pointed out it’s resemblance to the CrySiS ransomware and the fact that the initial version of the virus can be decrypted. Another fact that resembles CrySiS malware is that someone (probably someone involved in ransomware development) published a lot of Dharma decryption keys on an Internet forum. Consequently, the initial Dharma decryption tool was updated[3] and now victims can try to decrypt their files again - the chances are high that one of the leaked keys will unlock your files.

Probably the most widespread Dharma ransomware version is known to use amagnus@india.com for informing people about their encrypted files[4] and ask them to pay a ransom. This information is also provided in info.hta or differently titled ransom note. We should add that, according to the latest reports, the current versions of Dharma use these extensions to mark encrypted files: .dharma, .wallet, .zzzzz. Though, on April 2017, malware researchers spotted a new version of virus lurking on the web. Due to the appended file extension, this recent variant is called .onion file extension virus. The virus hasn't started spreading actively yet; however, it might be a hackers' revenge and another attempt to develop a hazardous cyber threat.

On the day of its appearance, security experts didn't know much about Dharma in general and believed it to be one of the new-generation viruses.[5] It seems that the virus developers were trying to keep it as obscure as possible and didn't follow the typical patterns other ransomware creators do. For instance, the virus did not drop ransom notes or any other additional documents that would let you know about the virus hiding in the system. Also, in November, antivirus utilities did not seem to detect it either, significantly complicating Dharma removal. Nonetheless, you can now use such software, like Reimage, for instance, to eliminate this ransomware from the computer. Thus, before taking any virus removal steps, make sure you have the proper tools to back you up.

The latest versions of Dharma ransomware do leave a simple ransom note on the infected computer that reads:

ATTENTION!
At the moment, your system is not protected.
We can fix it and restore files.
To restore the system write to this address:
bitcoin143@india.com

As you can see, victims have to contact the criminals via an email address provided in the note and ask them about the ransom needed to recover the affected files. Apart from the email, you will also see .dharma, .wallet or .zzzzz pinned at the very end of the string. For instance, if your file is labeled picture.jpg, the affected version of the file will be picture.jpg[email_address].dharma. It is interesting that the email addresses the hackers provide vary. So, when infected with the virus, you might be required to write to bitcoin143@india.com, worm01@india.com (this virus drops worm.exe file on the system), oron@india.com, or another @india.com email address. We strongly suggest not to do that. You have absolutely no way of knowing what to expect from this bunch of extortionists and how contacting them might end. It is more reasonable to simply remove Dharma and use your computer normally again. If you continue using it with a ransomware running, every time you reboot the system will result in new encrypted files. Speaking about data recovery methods, you can restore your files with a help of a data backup or an updated Rakhni decryption tool. However, one of 2-Spyware visitors has reported a shocking Dharma decryption method that helped him to restore .[oron@india.com].dharma file extension files for free. The visitor says that he managed to restore encrypted data archives using 7-Zip program. For more information, see data recovery methods described below the article.

Current variants of Dharma ransomware:

Oron@india.com ransomware virus. Ransomware developers simply can't go about their business without making improvements to their malicious creations. Dharma ransomware is not an exception. The virus has undergone a lot of changes and different versions of it are now circling the web. One of these versions is oron@india.com ransomware. The virus is named after the extensions it ads to the encrypted files. So, the computer infected with oron@india.com will feature a lot of files ending with .[oron@india.com].dharma. The use of an email address to indicate encrypted files suggests that it may be the key to their decryption. Or the hackers want you to believe that. The victims who reach out to the cyber criminals via this address are demanded to send money (Bitcoins) to the given Bitcoin account while the hackers promise to hand in the decryption key. Nevertheless, paying the extortionists is not necessary as you may unlock your files using Dharma Decrypter. 

Zzzzz ransomware virus. It is another Dharma virus version that shares its extensions with the infamous Locky virus. It is not clear whether zzzzz developers took Locky's idea or the use of same extensions to indicate encrypted files is a sheer coincidence. Despite the odds, these viruses are not related and are based on different codes. Nevertheless, this does not make zzzzz virus any less dangerous than the nasty Locky virus. It still encrypts files making them inaccessible to the victims and demands payment for the access key. You may use Dharma Decrypter to attempt zzzzz file recovery, but most important thing is that you remove the virus from your computer to prevent further damage.

Wallet ransomware virus. Wallet is the latest Dharma version which appends .wallet extensions to the encrypted files. Ransomware victims are also urged to contact criminals via given email address (amagnus@india.com) and gives not specific details upfront. The virus makes sure the victims are acquainted with the data recovery conditions by replacing the infected computer's desktop with an image of a ransom note. Besides, extortionists set a 72-hour limit to pay the ransom and claim that if victims fail to pay in time, the decryption key will be destroyed and they will lose access to their files forever. Of course, there are always alternatives and you don't have to succumb to the criminals' demands. Just scroll down to the end of this article and check out data recovery options recommended by experts.

.onion file virus. The latest variant of Dharma ransomware has been spotted on April 2017. The virus spreads via malicious email attachments, and once victim clicks on an infected attachment, malware sneaks inside the system. On the affected device, ransomware starts system scan and looks for the targeted file types. For data encryption, it uses a sophisticated algorithm that prevents users from accessing their files. Ransomware appends the .onion file extension to the encoded documents, PDFs, video, audio, image files, databases, and other popular file types. Nevertheless, authors of the virus claim that purchasing decryption software from the is the only option to get back access to your data; you should not rely on their words. After the attack, you should focus on malware removal and later look for data recovery possibilities. 

How does the virus spread?

While trying to infect systems with this malware, the developers of Dharma ransomware have been actively relying on phishing.[6] The most common method is considered the delivery of virus with the help of infected email messages. The scammers use malicious spam campaigns to spread fraudulent emails with attached malware around and, sadly, the users often fall for their tricks. If you, yourself, receive an email from some unknown sender, company or institution, carefully investigate it. Think about whether you expected such an email in the first place, if you have no idea why it has reached your email -- it might be that you are being targeted by extortionists. In such a case, you should stay away from any attachments that might be added to the email and delete it immediately. Otherwise, Dharma can sneak in its malicious payload with some fake plane ticket, speeding ticket or any other documents that might look convincing enough to be taken for granted.

Terminate Dharma malware from the computer

All computer security unanimously agree that the best way to remove Dharma virus or any ransomware virus from the infected device is by scanning it with a professional anti-malware tool. Nevertheless, you probably remember that this virus is specifically good at hiding on the computer and may not even be detected by the security tools. That is why you cannot approach Dharma removal directly and need to complete a few extra steps first before you run the system scan. We have presented these steps down below. Feel free to use them and don’t forget to scan your system automatically afterward! We suggest using one of these tools: Reimage, PlumbytesWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware.

To remove Dharma ransomware virus follow these steps:

It might be that we are affiliated with any of our recommended products. Full disclosure can be found in our Agreement of Use. By downloading any of provided Anti-spyware software you agree with our Privacy Policy and Agreement of Use.
Do it now!
Download
Reimage - remover Happiness
Guarantee
Compatible with Microsoft Windows
What to do if failed?
If you failed to remove infection using Reimage Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Dharma ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.
Reimage is recommended to uninstall Dharma ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.
Not using OS X? Download a remover for Windows.
Press Mentions on Reimage
Alternate Software
Alternate Software
Plumbytes
We are testing Plumbytes's efficiency (2017-04-18 03:16)
Malwarebytes Anti Malware
We are testing Malwarebytes Anti Malware's efficiency (2017-04-18 03:16)
Hitman Pro
Webroot SecureAnywhere AntiVirus

Remove Dharma using Safe Mode with Networking

Ransomware blocks access to the security software or you cannot install you preferred tool, you need to disable the virus by rebooting device to the Safe Mode with Networking. Then, you will be able to install, update and run malware removal program.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Dharma

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Dharma removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Reimage is a tool to detect malware. You need to purchase full version to remove infections.
More information about Reimage
Reimage is a tool to detect malware. You need to purchase full version to remove infections. More information about Reimage

Remove Dharma using System Restore

System Restore is another method to disable the virus in order to perform automatic ransomware elimination.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Dharma. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Dharma removal is performed successfully.
Reimage is a tool to detect malware. You need to purchase full version to remove infections.
More information about Reimage
Reimage is a tool to detect malware. You need to purchase full version to remove infections. More information about Reimage

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Dharma from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Dharma, you can use several methods to restore them:

Using Data Recovery Pro to restore files encrypted by Dharma ransomware

Data Recovery Pro is a software choice that is recommended for those who do not wish to spend time recovering data themselves. It is an automatic tool that will do all the work for you. So, follow the steps below, sit back and wait for the results. 

Using Windows Previous Versions feature to recover files encrypted by Dharma

Windows Previous Versions feature is another option you can try in order to recover your data. Keep in mind, though, that this technique requires a System Restore function to be enabled. If it was on before the virus attack, try your chance in recovering data using the instructions below.

  • Find an encrypted file you need to restore and right-click on it;
  • Select "Properties" and go to "Previous versions" tab;
  • Here, check each of available copies of the file in "Folder versions". You should select the version you want to recover and click "Restore".

Relying on ShadowExplorer to fix your files

Last but not least, ShadowExplorer can also be used for the data recovery. ShadowExplorer particularly focuses on extracting data from the Volume Shadow Copies which are normally kept on the computer. If the virus has not deleted them, of course. In case all the needed information is intact, follow the steps below to proceed the data recovery.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select "Export". You can also select where you want it to be stored.

IMPORTANT. The latest Dharma decryption options

As we already mentioned, someone has leaked a lot of Dharma decryption keys online and Kaspersky has successfully updated Rakhni decryptor with these keys already. At the moment, it is known that the leaked keys belonged to Dharma version that added .dharma file extensions. You should definitely try using its decrypter presented by Kaspersky Lab. You can download it from here.

In case the decryptor fails to decrypt your .dharma files: Our team recently received a message from a person who said one of his clients got infected with .[oron@india.com].dharma ransomware version. Surprisingly, our site visitor reported that he managed to restore encrypted data archives by extracting them with 7-Zip. We suggest you to try this method if you haven't already. You can find the original comment from the visitor in the comments section below.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Dharma and other ransomwares, use a reputable anti-spyware, such as Reimage, PlumbytesWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

Jake Doe
Jake Doe - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

References

Removal guides in other languages


Information updated:

Comments on Dharma ransomware virus

0
0
2spyware
Dear Sean, thank you for your information. It will definitely help for infected users!
1
0
Sean Venter
I had a client that got this infection on their accounting server and because they havent noticed the infection it encrypted all files on their backup hard disk drives that they rotate on a daily basis. So they have lost all their data. As I started to reinstall everything I right clicked on one of the encrypted backup zip files that had the extension .[oron@india.com].dharma and I managed to open it with 7 ZIP. and I managed to extract all of their backups from the latest zip file!!!. Dont know if it is a bug in the virus but somehow all the zip files on the external hard disk drive have the .[oron@india.com].dharma extension but I am able to extract the data with 7 ZIP. Hope this helps anybody as this is really a serious virus infection.
0
0
PweDiepie
What a spiritual title for such a nasty parasite
0
0
Ebbie Millton
Well this virus escalated from an obscure little parasite. I still remember when it first came out

Post a comment

Attention: Use this form only if you have additional information about a parasite, its removal instructions, additional resources or behavior. By clicking "post comment" button you agree not to post any copyrighted, unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful, racially, ethnically or otherwise objectionable material of any kind.

Home page Name



«

(All fields are required)