Severity scale:  
  (99/100)

Dharma ransomware virus. How to remove? (Uninstall guide)

removal by Jake Doevan - - | Type: Ransomware

Dharma – a ransomware family that is being continuously updated in 2018

The ransom note of Dharma ransomware virus

Questions about Dharma ransomware virus

Dharma is a file-encrypting virus released in 2016. Malware has been updated several times since then. Despite the fact malware researchers created a free decryptor; developers of ransomware haven’t given up. They created a bunch of undecryptable versions of malware. The latest one was spotted in the middle of May 2018 appending .bip file extension. Just like the previous variants, this one was also named under the added suffix – Bip Dharma ransomware.

Summary
Name Dharma
Type Ransomware
Danger level High. Makes system changes and encrypts files
Release date 2016
Appended file extensions .java, .cesar, .wallet, .zzzzz, .dharma, .bip, .arrow, .write, .onion
Ransom note Info.hta and FILES ENCRYPTED.txt 
Contact email address decrypthelp@qq.com, files.restore@aol.com, Beamsell@qq.com, GuardBTC@cock.li, Blammo@cock.li, Bitcoin888@cock.li, files.restore@aol.com, 1778357646@gg.com, decrypthelp@qq.com, sm@uwmanage.com
Distribution Malicious spam emails
Data recovery Some versions of the virus can be decrypted with a free decryptor
To uninstall Dharma, install Reimage and run a full system scan

Dharma ransomware may spread interchangeably with Crysis ransomware as they share similar traits and are considered to be congenerical. However, Crysis is not the only variant of the infamous Dharma. Since 2016, ransomware researchers revealed more than ten versions of this infection all of which differ regarding file extension appended (.java, .cesar, .wallet, .zzzzz, .dharma).

Even though this crypto-malware has been silent for several months due to the obtained Dharma decryptor, now it is back with several new versions which are not yet decryptable. Some of the relatively new strains of the virus are using .java and .write file extensions, also known as [decrypthelp@qq.com].java and [files.restore@aol.com].write. In 2018, two new variants of ransomware were released too.

One of the Dharma malware variant, which has been detected at the beginning of March 2018, is known for appending  .id-.[].arrow file extension to all encrypted files. Consequently, it might be referred to as .id-.[].arrow file extension virus.  Another variant has been detected in May. It adds [Beamsell@qq.com].bip extension to targeted file and is called .bip Files Virus.

Dharma ransomware first caught malware analysts' attention in November 2016.[1] In the beginning, many speculations emerged about this cyber infection. Experts have been actively discussing whether this virus is an original creation of ransomware developers or just a newer version of some larger family of crypto ransomware. Also, could it be as dangerous as Locky virus?[2]

As we have already mentioned, since the appearance of this ransomware, experts pointed out it’s resemblance to the CrySiS ransomware and the fact that the initial version of the virus can be decrypted. Another fact that resembles CrySiS malware is that someone (probably someone involved in ransomware development) published a lot of Dharma decryption keys on an Internet forum. Consequently, the initial virus' decryption tool was updated[3] and now victims can try to decrypt their files again – the chances are high that one of the leaked keys will unlock your files.

Dharma Bip ransom note

Probably the most widespread Dharma ransomware version is known to use amagnus@india.com and decrypthelp@qq.com for informing people about their encrypted files[4] and ask them to pay a ransom. This information is also provided in info.hta or differently titled ransom note.

We should add that, according to the latest reports, the current versions use these extensions to mark encrypted files:

  • .cesar, 
  • .onion,
  • .dharma, 
  • .wallet, 
  • .zzzzz,
  • .arena,
  • .cezar,
  • .java;
  • .write;
  • .bip.

On April 2017, malware researchers spotted a new version of virus lurking on the web. Due to the appended file extension, this recent variant is called .onion file extension virus. The virus hasn't started spreading actively yet; however, it might be a hackers' revenge and another attempt to develop a hazardous cyber threat.

On the day of its appearance, security experts didn't know much about Dharma in general and believed it to be one of the new-generation viruses.[5] It seems that the virus developers were trying to keep it as obscure as possible and didn't follow the typical patterns other ransomware creators do. For instance, the virus did not drop ransom notes or any other additional documents that would let you know about the virus hiding in the system.

Also, in November, antivirus utilities did not seem to detect it either, significantly complicating Dharma removal. Nonetheless, you can now use such software, like Reimage, for instance, to eliminate this ransomware from the computer. Thus, before taking any virus removal steps, make sure you have the proper tools to back you up.

The latest versions of ransomware do leave a simple ransom note on the infected computer that reads:

ATTENTION!
At the moment, your system is not protected.
We can fix it and restore files.
To restore the system write to this address:
bitcoin143@india.com

As you can see, victims have to contact the criminals via an email address provided in the note and ask them about the ransom needed to recover the affected files. Apart from the email, you will also see .cezar, .cesar, .dharma, .wallet, .java, .write or .zzzzz pinned at the very end of the string. For instance, if your file is labeled as picture.jpg, the affected version of the file will be picture.jpg[email_address].dharma or picture.jpg[files.restore@aol.com].write.

It is interesting that the email addresses the hackers provide vary. So, when infected with the virus, you might be required to write to bitcoin143@india.com, files.restore@aol.com, worm01@india.com (this virus drops worm.exe file on the system), btc2017@india.com, oron@india.com, or another @india.com, Beamsell@qq.com email address. One of the latest variants, Arena, recommends writing to sindragosa@bigmir.net. We strongly suggest not to do that. You have absolutely no way of knowing what to expect from this bunch of extortionists and how contacting them might end.

It is more reasonable to simply remove Dharma and use your computer normally again. If you continue using it with a ransomware running, every time you reboot the system will result in newly encrypted files.

Important information. Speaking of data recovery methods, you can restore your files with a help of a data backup or an updated Rakhni decryption tool. However, one of 2-Spyware visitors has reported a surprising decryption method that helped him to restore .[oron@india.com].dharma file extension files for free. He managed to restore encrypted data archives using 7-Zip program. For more information, see data recovery methods described below the article.

Chronology of ransomware evolution

Oron@india.com ransomware virus. Developers have released an updated version of Dharma ransomware which is named as the file extension it uses. Just like any other dangerous ransomware-type infection, it aims to encrypt important files on the targeted computer to gain illegal profits.

The easiest way to recognize Oron@india.com ransomware virus is to check the file extension — documents encoded by this version are appended with [oron@india.com].dharma extension. It consists of two sections: an actual extension and the email address. 

Indication of the email is an attempt to urge you to contact the crooks for the decryption tool. However, if you reach them out via oron@india.com, there is a high risk that they will make you pay without giving the decryption key. Thus, we do not recommend following the rules of the attackers.

Luckily, you can restore your files using Dharma Decrypter. Therefore, there is no need to motivate the criminals to continue their illegal activities by paying the ransom.

Zzzzz ransomware virus. It is another virus version that shares its extensions with the infamous Locky virus. It is not clear whether zzzzz developers took Locky's idea or the use of same extensions to indicate encrypted files is a sheer coincidence. Despite the odds, these viruses are not related and are based on different codes. Nevertheless, this does not make zzzzz virus any less dangerous than the nasty Locky virus.

It still encrypts files making them inaccessible to the victims and demands payment for the access key. You may use Dharma Decrypter to attempt zzzzz file recovery, but most important thing is that you remove the virus from your computer to prevent further damage.

Wallet ransomware virus. Wallet is the latest Dharma version which appends .wallet extensions to the encrypted files. Ransomware victims are also urged to contact criminals via given email address (amagnus@india.com) and gives not specific details upfront. The virus makes sure the victims are acquainted with the data recovery conditions by replacing the infected computer's desktop with an image of a ransom note.

Besides, extortionists set a 72-hour limit to pay the ransom and claim that if victims fail to pay in time, the decryption key will be destroyed and they will lose access to their files forever. Of course, there are always alternatives and you don't have to succumb to the criminals' demands. Just scroll down to the end of this article and check out data recovery options recommended by experts.

.onion file virus. The latest variant of Dharma ransomware has been spotted on April 2017. The virus spreads via malicious email attachments, and once victim clicks on an infected attachment, malware sneaks inside the system. On the affected device, ransomware starts system scan and looks for the targeted file types. For data encryption, it uses a sophisticated algorithm that prevents users from accessing their files.

Ransomware appends the .onion file extension to the encoded documents, PDFs, video, audio, image files, databases, and other popular file types. Nevertheless, authors of the virus claim that purchasing decryption software from the is the only option to get back access to your data; you should not rely on their words. After the attack, you should focus on malware removal and later look for data recovery possibilities.

Cezar ransomware virusThe virus emerged in the middle of August 2017, and it is also known as Cesar ransomware virus. The virus is named after a file extension that it adds to encrypted files, respectively .cezar or .cesar. The virus suggests writing to btc2017@india.com for instructions on how to recover encrypted files, so it works as a typical Dharma version.

Dharma Cezar ransomware variant

The aim of the virus is to force the victim to get in touch with cybercriminals and start negotiations regarding data recovery. The criminals will ask you to pay an enormous ransom in Bitcoins and promise you to provide a decryption key afterward. Unfortunately, criminals cannot be trusted, so we do not recommend you to put too much effort into trying to make them restore your files. Chances are, they might never will.

Arena ransomware virus. Arena virus is the latest addition to Dharma malware family. The virus was spotted by a security researcher Michael Gillespie on August 23rd, 2017. The new ransomware variants appends traditional extension – .id-[ID].[criminal's email address].arena. The virus then outputs some text in a FILES ENCRYPTED.txt file (known as ransom note).

Dharma Arena ransomware version

The virus suggests contacting the criminals via sindragosa@bigmir.net email address, leaving no hints about the price of the decryption key. Unfortunately, currently, the only tool that could help you restore your files is a data backup. Remove Arena ransomware before trying to plug it into your computer, otherwise, the virus will encrypt files stored on it.

.Java file extension virusThe developers of Dharma have been updating their malware from time to time. While it cannot compete with the authors of GlobeImposter group of ransomware, who have been refilling their virus almost every day, it can still be considered a persistent malware. 

Since the last update, security experts report about several new versions. One variation attaches .id-.[recfile@protonmail.com].cobra file extension. The ransom note also includes the email address mentioned in the extension.

Dharma Java ransomware image

In the meanwhile, the second version of Crysis/Dharma version attaches these extensions: 

  • .id-8-characters.[1778357646@gg.com].java[6]
  • .[decrypthelp@qq.com].java
  • .id-8-characters.[sm@uwmanage.com].java

It is believed that there are more than three versions of this Java ransomware spreading on the Internet, so be careful while searching the web. At the moment, security experts do not report about significant changes in virus source code, just mention to be careful with spam that spreads using the subject line “The Request Invoice.” 

Here is the message content:

Here is the Invoice you requested. Please make sure to print it, sign it and scan it to send it back to us.
Best Regards,
Tim Brooks
Sales Department

Note the absence of full company credentials and the logo. Counterfeited messages hiding the malware often contain grammar and typos.

This version also inflicts quite significant damage to the system. It disables system recovery and deletes shadow volume copies. Though it greatly reduces the number of alternative data recovery options, it is recommended to remove Java virus immediately.

.write file extension virus. After several months of silence, developers have decided to update Dharma ransomware once again. Even though there are not many changes overall, they have switched to using different file extension and contact email address for identity protection.

Now the upgraded variant appends .write or [files.restore@aol.com].write extension after encrypting important data which is stored on the targeted system. At that point, the files become unusable and victims are encouraged to pay the ransom in exchange for a decryption tool. 

Once the victims receive the ransom-demanding message, they are urged to contact the criminals via files.restore@aol.com email address. However, have in mind that criminals will try to persuade you to make the transaction while you have no guarantees of getting Dharma decryptor.

It is important to know that .write file extension virus is currently undecryptable. Although, it doesn't mean that the only way to get back access to your file is to pay the ransom. There are ways how you can recover data without obeying the demands of the crooks. For that, we recommend checking decryption steps at the end of this article.

.id-.[].arrow file extension virus. The developers or Dharma ransomware are not going to stop, the recent discovery reveals. Ransomware researchers detected yet another altered version of the malware, which appends .id-.[].arrow file extension to encrypted files. 

It has been first noticed at the beginning of March 2018. Its analysis points out to .cezar version to be its substruction. Although it's not clear the sum of the ransom demanded, it's clear that extortionists can be contacted via GuardBTC@cock.li, Blammo@cock.li or Bitcoin888@cock.li emails. 

Bip ransomware virus. In the middle of March 2018, another Dharma variant has been noticed appending [Beamsell@qq.com].bip file extension during data encryption. The virus deletes shadow volume copies in order to make data decryption nearly impossible unless you have backups.

Dharma Bip ransomware example

Following the encryption procedure, .bip file virus drops two ransom notes in Info.hta and FILES ENCRYPTED.txt where victims of ransomware are asked to send an email to Beamsell@qq.comi to get data recovery instructions. It’s unknown how much money developers of the virus ask to pay; however, it’s still not worth paying them. We recommend focusing on Bip removal instead.

Malicious emails – the main ransomware distribution method

Just like many other ransomware-type viruses, this one takes advantage of naive computer users and employ phishing[7] techniques to infect the targeted systems. One of the most popular way is malspam campaigns which trick gullible people to open malicious attachments with the payload of the ransomware. Despite the information about precautionary measures which help inexperienced computer users protect their systems, many people continue to fall for the same tricks of the attackers.

Dharma ransomware malspam examples

LesVirus.fr[8] team has prepared tips to avoid ransomware infiltration. We kindly ask you to do the following if you want to protect your computer:

  • If you, yourself, receive an email from some unknown sender, company or institution, carefully investigate it.
  • Think about whether you expected such an email in the first place, if you have no idea why it has reached your email – it might be that you are being targeted by extortionists.
  • In such a case, you should stay away from any attachments that might be added to the email and delete it immediately. Otherwise, Dharma can sneak in its malicious payload with some fake plane ticket, speeding ticket or any other documents that might look convincing enough to be taken for granted.

Eliminate Dharma virus with reputable anti-malware

It is evident that ransomware-type threats are highly dangerous and tricky. Likewise, people can either get help from an IT specialist or employ a professional Dharma removal software. Note that such cyber infections have numerous components and are able to hide them or disguise as legitimate system processes.

That is why you cannot remove Dharma directly and need to complete a few extra steps first before you run the system scan. We have presented these steps down below. Feel free to use them and don’t forget to scan your system automatically afterward! We suggest using one of these tools: Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Dharma ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Dharma ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.
More information about this program can be found in Reimage review.
Press mentions on Reimage

Manual Dharma virus Removal Guide:

Remove Dharma using Safe Mode with Networking

In order to make the ransomware inactive and let you install the security software, you need to boot your system into Safe Mode with Networking. Here are instructions which will guide you through the process:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Dharma

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Dharma removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Dharma using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Dharma. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Dharma removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Dharma from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Dharma, you can use several methods to restore them:

Get Data Recovery Pro tool

Experts highly recommend using this recovery software for those who would like to save their time and get back the access to their data automatically. 

You can recover individual files with Windows Previous Versions feature

Luckily, Windows users can recover individual files encrypted by Dharma right now. The only thing they need is to check that System Restore function has been enabled before ransomware has entered the computer.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

IMPORTANT. Ways how to use Dharma decryptor

Dharma ransomware victims are lucky since there has been a leak of numerous decryption keys online. Likewise, Kaspersky Lab has already upgraded Rakhni decryptor which now is able to decrypt files with .dharma extension. Try and download it here.

In case the decryptor fails to decrypt your files: Our team recently received a message from a person who said one of his clients got infected with .[oron@india.com].dharma ransomware version. Surprisingly, our site visitor reported that he managed to restore encrypted data archives by extracting them with 7-Zip. We suggest you to try this method if you haven't already. You can find the original comment from the visitor in the comments section below.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Dharma and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

References

Removal guides in other languages