Dharma ransomware. 40 Variants listed for 2021

Dharma virus Removal Guide

What is Dharma ransomware virus?

Dharma ransomware – one of the most established and broad crypto-malware families that target regular users

Dharma ransomware virusDharma ransomware virus was discovered in 2016. It keeps updating in 2019. The latest file extensions .gif .AUF, .USA, .xwx, .best, and .heets.

Dharma is a crypto-virus that first struck the world in 2016 and has been resurfacing with new versions regularly during recent years. From the first quarter of 2019 up till now, the virus comes back with new versions. The malware uses a complex extension consisting of user ID, contact email, and an extension, for example – .DEX, .YOUF, .SWP, .Cvc, or .World. Since its release, the AES or DES + RSA encryption algorithms have been used to encrypt data; ransom note titles and contents might vary slightly, although they are typically called either Info.hta and FILES ENCRYPTED.txt.

These documents are asking to contact developers via the provided email address and pay for the decryption service. As long as the the virus keeps presenting new file extensions, be careful with unknown emails from suspicious senders since the virus still relies on spam when spreading around. Small businesses and bigger organizations should also be cautious – at the end of March 2019, the malware hit a system of the parking lot in Canada.[1] Previously, Dharma ransomware infected Texas hospital[2] and some other organizations.

Although the newer samples of this cryptovirus show it is distributed via spam email, they deliver different files in the particular campaigns. Researchers revealed new information that malicious actors use download links. When the user clicks on such a hyperlink, the password listed in the email itself can be used to get the particular file.

Once the self-extracting defender.exe file is opened, it drops a malicious file on the system. It appears to be an old version of ESET AV Remover and connects with the Dharma virus. During the fake AV tool installation, the malicious code is executed, resulting in computer infection and, later, file encryption.

During the first months of functioning, Dharma ransomware was spreading as an alternative for Crysis ransomware. However, now these viruses are considered to be of a different kind as the most of traits do not match. The ransomware caught attention back in November 2016[3] and was compared with Locky virus.[4] Dharma (.cezar family) and some other versions (Adobe ransomware, Combo ransomware, Java ransomware, Bip ransomware) have proven that the virus is ready for anything.

Name Dharma virus
Type Ransomware
Danger level High. Makes system changes and encrypts files
Release date 2016
Ransom note Info.hta, FILES ENCRYPTED.txt
Encryption method Malware uses AES or a combination of DES + RSA to lock files, depending on the version
Distribution It is mainly delivered via infected email attachments, although other techniques, such as software cracks or fake updates, can be used as well
Data recovery Some versions of the virus can be decrypted with a free RakhniDecryptor
Malware elimination To remove ransomware from your system, you should scan the device with powerful anti-malware software
System fix Malware can cause significant issues after it is deleted from the system (lag, crashes, errors, etc.). In case you experience problems after virus elimination, attempt to fix system damage with ReimageIntego

Since 2016, researchers have revealed over hundred different Dharma ransomware versions, all of which share many similar features and the main difference is the file extension appended. As time passed, experts have been updating the decryption tool which was launched soon after the first appearance of the virus.[5] However, it seems that victims are not capable of decrypting files encrypted by the latest versions.

Even though this crypto-malware has been silent for several months now, it seems to be back with several new versions in 2019, including .USA, .xwx, .best .NWA, .ETH, and .com file extensions. If you think that you are infected, don't waste your time because the more time you give to the virus, the more files it can encrypt. Make sure you disconnect your computer from the Internet and scan it with anti-virus software. Additionally, try Dharma ransomware decryptor (called RakhniDecryptor tool).

Since the end of spring 2020, cybersecurity researcher Jacub Kroustek has started warning people that the Dharma virus keeps evolving with its new variants. In June, criminals released over ten new ransomware variants, the most prominent of which are .base, .R3f5s, .bad, .HCK, .hlpp, .FRM, .WCH, .club, .PGP, .well, .space, .BOMBO. The virus activity does not seem to end in July. Since the middle of the month, criminals have already released some noteworthy variants that manifest with the following extensions: .data, .smpl, .felix, .null, .gns, .bmtf, .nhlp, .prnds, .dtbc, .BOOT, .GYGA, and others. All these variants are identical, except the email addresses owned by criminals.

Dharma Cezar ransomwareDharma ransomware - a cryptovirus which has numerous variants that have been actively infecting users behind their back.

On the day of its appearance, security experts didn't know much about Dharma in general and believed it to be one of the new-generation viruses.[6] It seems that the virus developers were trying to keep it as obscure as possible and didn't follow the typical patterns other ransomware creators do.

For instance, the virus did not drop ransom notes or any other additional documents that would let you know about the virus hiding in the system. Also, on the day of virus discovery, November 2016, antivirus utilities did not seem to detect its malicious components, which complicated Dharma ransomware removal significantly. If you think that you are dealing with virus damage caused by this malware, use ReimageIntego to double-check the system.

Almost 200 Dharma versions used to infect home users and companies

In 2019, the most widespread Dharma ransomware version is known to use .eth, .bip, .cezar and .cesar file extensions. However, new versions keep evolving in 2020 and the criminals keep coming up with new names for the extensions, e.g., .$love and .LOL. Nonetheless, it seems like criminals keep reusing some of the previously-known names, such as LOL Dharma, which was first spotted in 2017.

Before that, the virus used the AES encryption algorithm[7] to encrypt all personal data on the device. It also deletes shadow volume copies on each Windows operating system it infects. Having in mind that the malware has already infected medical organizations and huge companies, encrypted data can be vital, and its recovery can be related to saved or lost lives.

In fact, there are hundreds of versions that come from the Dharma virus family. While some of the versions are extremely prevalent, others manage to merely infect a few victims. Regardless, the impact of the infection is tremendous. Users affected by this malware family can expect to see their files appended with one of the following extensions:

  • .air
  • .888
  • .amber
  • .cesar
  • .cesar
  • .onion
  • .dharma
  • .wallet
  • .zzzzz
  • .java
  • .write
  • .bip
  • .arrow
  • .combo
  • .brrr
  • .gamma
  • .bk66
  • .funny
  • .Acuf2
  • .VIRUS
  • .IMI
  • .NcOv
  • .IPM
  • .PPHL
  • .GET
  • .gold
  • .lina
  • Zxcv
  • .cezar
  • .USA
  • .dec
  • .xwx
  • .monro
  • .vanss
  • .azero
  • .BANG
  • .com
  • .best
  • .drweb
  • .bkp
  • .like
  • .gdb
  • .AUF
  • .xxxxx
  • .stun
  • .btix
  • .nqix
  • .kr
  • .asd
  • .R2D2
  • .LX
  • .tcprx
  • .Back
  • .bmd
  • .WSHLP
  • Gtsc
  • .frend
  • .KARLS
  • .aqva
  • .aye
  • .korea
  • .plomb
  • .nwa
  • .xxxxx
  • .888
  • .heets
  • .adobe
  • .qwex
  • .btc
  • .gate
  • .ETH
  • .love$
  • .LOL
  • .payB
  • .HACK
  • .ninja
  • .RIDIK
  • .crown
  • .N3
  • .mnbzr
  • .crec
  • .TEREN
  • YUFL
  • Dme
  • .data
  • .smpl
  • .felix
  • .null
  • .gns
  • .bmtf
  • .nhlp
  • .prnds
  • .dtbc
  • .BOOT
  • .GYGA
  • .lxhlp
  • .HOW
  • .credo
  • .base
  • .r3f5s
  • .bad
  • .HCK
  • .Q1G
  • .SySS
  • .1BTC
  • .YKUP
  • .dr
  • .LOG
  • .Aim
  • .blm
  • bH4T
  • FLYU
  • .hlpp
  • .FRM
  • .WCH
  • .club
  • .PGP
  • .well
  • .space
  • .BOMBO
  • .TRAMP
  • .DOP
  • .php
  • .0day0
  • .NET
  • .dqb
  • .html
  • .save
  • .KICK
  • .PLUT
  • .com2
  • .2048
  • .blend
  • .GTF
  • .HAT
  • .1dec
  • .abc
  • .eur
  • 259
  • CVE
  • .pdf
  • .group
  • .biz
  • .MGS
  • .cmd
  • .ebola
  • .money
  • .VIVAL
  • .CASH
  • .KRAB
  • .oo7
  • .uta
  • .bot
  • .wiki
  • .PBD
  • .one
  • .xda
  • .asus
  • .start
  • .bitx
  • .LIVE
  • .Mark
  • .WEEK
  • .xati
  • .NW24
  • .AHP
  • LCK
  • Fresh

Once the malware encrypts the victim's files, it drops the brief ransom note on the infected computer, such as this one. As we have already mentioned, the Dharma ransomware virus failed to do that at the beginning of its distribution.

At the moment, your system is not protected.
We can fix it and restore files.
To restore the system write to this address:

Victims have also reported about seeing this ransom note:

hallo, our dear friend!
looks like you have some troubles with your security
all your files are now encrypted
using third-party recovering software will corrupt your data
you have only one way to get them back safety – using our decryption tool
to get original decryption tool contact us with email is subject like write your ID which your can find
in name of every encrypted file, also attach to email 3 crypted files.
It is your interest to respond as soon as possible to ensure the restoration of your files because we won’t keep your decryption keys at our servers more than 72 hours in interest of our security
PS. only in case you don’t receive a response from the first email address within 24 hours, please use this alternative email address lavandos@india.com

As you can see, users are asked to contact the criminals via an email address provided in the note and inquire about the ransom needed to recover the affected files. Apart from the email, you will also see .dharma file extension or similar appendix pinned at the very end of the string. For instance, if your file is labeled as picture.jpg, the affected version of the file will be picture.jpg[email_address].dharma or picture.jpg[files.restore@aol.com].bip.

The email address depends on the Dharma ransomware version, so you can be asked to use bitcoin143@india.com, files.restore@aol.com, worm01@india.com (this virus drops worm.exe file on the system), btc2017@india.com, oron@india.com, or another @india.com, beamsell@qq.com, sindragosa@bigmir.net email address. A full list of email addresses:

  • decrypthelp@qq.com,
  • files.restore@aol.com,
  • beamsell@qq.com,
  • guardBTC@cock.li,
  • blammo@cock.li,
  • bitcoin888@cock.li,
  • files.restore@aol.com,
  • 1778357646@gg.com,
  • decrypthelp@qq.com,
  • sm@uwmanage.com,
  • java2018@tuta.io,
  • e_cryption@tuta.io
  • decryption1@protonmail.com
  • im.online@aol.com
  • onlineim@hitler.rocks
  • nullcipher@cock.li
  • nullcipher@tutanota.com
  • newhelper@protonmail.ch,
  • newhelper@cock.li
  • lxhlp@protonmail.com and
  • lxhlp2@protonmail.com
  • Recovery@qbmail.biz
  • r3ad4@aol.com
  • r3ad4@cock.li
  • hlpp@protonmail.ch
  • hlpp2@protonmail.com
  • openpgp@foxmail.com
  • mewellwisher@protonmail.ch
  • iamwellwisher@tutanota.com
  • clevercrypt@aol.com
  • back_me@foxmail.com
  • btcdecoding@qq.com
  • mstr.hacker@protonmail.com
  • thebest777@protonmail.ch]
  • mr.hacker@tutanota.com
  • panama777@tutanota
  • getbtc@aol.com
  • Harmahelp73@gmx.de
  • Cybergroup1@aol.com
  • mrcrypt@cock.li
  • Veracrypt@foxmail.com
  • Newebola@aol.com
  • cryptocash@aol.com
  • Admin@fentex.net
  • jacklee@airmail.cc
  • MerlinWebster@aol.com
  • paybuyday@aol.com
  • Vite.mcclatchie@aol.com
  • admin@sectex.net
  • fireshow@cock.li
  • marjut65@tutanota.com
  • blablacar@airmail.cc
  • syspentest@aol.com
  • rsa2048@cock.li
  • 1btc@qbmail.biz
  • grdoks@tutanota.com
  • Keyfiles@cock.li
  • Asdbtc@aol.com
  • whitwellparke@aol.com
  • recoverysql@trotonmail.com
  • BTC@decoding.biz
  • helips@protonmail.com
  • notgoodnews@tutanota.com
  • cyberunion@tuta.io
  • crown_desh@aol.com
  • Help.me24@protonmail.com
  • decrypt@qbmail.biz
  • antiransomware@aol.com
  • wang.chang888@tutanota.com
  • back_data@foxmail.com
  • MrRdx@cock.li
  • fooox1@protonmail.com
  • neuromanix@aol.com
  • Theransom@tutanota.com
  • Zagrec@protonmail.com
  • trfgklmbvzx@aol.com
  • week1@tuta.io
  • getscoin2@protonmail.com
  • Backdata@zimbabwe.su
  • getthefiles@protonmail.com
  • cl_crypt@aol.com
  • databack44@tuta.io
  • decrypt@europe.com
  • dr.crypt@aol.com,
  • aq811@tutanova.com
  • bitcoins12@tutanota.com
  • gangflsbang@protonmail.ch
  • paybit@aol.com
  • bebenrowan@aol.com,
  • paydecryption@qq.com,
  • bkp@cock.li,
  • getdataback@fros.cc
  • help@decrypt-files.info
  • Helpsir@rape.lol
  • anticrypt@countermail.com,
  • sebekgrime@tutanota.com,
  • crypted_files@qq.com,
  • master777@tutanota.com
  • felix@countermail.com
  • geniusid@protonmail.ch,
  • geniusyourid@cock.li
  • prndssdnrp@mail.fr
  • resetboot@aol.com
  • gygabot@cock.li
  • gygabot@protonmail.com
  • savebase@aol.com
  • savebase@420blaze.it
  • hitsbtc@tuta.io
  • hitsbtc@protonmail.com
  • admin@stelsdatas.com
  • admin@stelsdatas.club
  • Mail@qbmail.biz
  • btc3301@messageden.com
  • day_0@aol.com
  • neural.net@tuta.io
  • Ban.out@foxmail.com
  • paydra@cock.li
  • MasterLuBu@tutanota.com
  • Support@qbmail.biz
  • Harmahelp73@protonmail.com
  • usacrypt@aol.com
  • 3442516480@qq.com
  • Vip76@protonmail.com
  • Dalanso@aol.com
  • cmdroot@airmail.cc
  • admin@stex777.com
  • keyhelp@cock.li
  • nmode@tutanota.com
  • bitlocker@foxmail.com
  • gillian.cher@aol.com
  • fullrestore@qq.com
  • starter@cumallover.me
  • fire_show@tuta.io
  • writehere@onlinehelp.host
  • ninja777@cock.li
  • Maximum@onlinehelp.host
  • 2048rsa@tutanota.com
  • admin@sectex.world
  • nmodes@aol.com
  • helpnetin@protonmail.com
  • manyfiles@aol.com
  • dewitt.foxcroft@aol.com
  • cryptor6@tutanota.com
  • Btcdecoding@foxmail.com
  • cryptlive@aol.com
  • Supp37@cock.li
  • magicswordhero@aol.com
  • devil98@tutanota.com
  • black@gytmail.com
  • krastoken@gmail.com
  • ncov2020@aol.com
  • ykup@tutanota.com
  • grandtheftfiles@aol.com
  • Decoding@qbmail.biz
  • help.crypt@aol.com
  • btckeys@aol.com
  • dr.decrypt@aol.com
  • pvphlp@tutanota.com
  • Logan8833@aol.com
  • xatixxatix@mail.fr
  • HarmaENC@Cock.li
  • Smith1@mailfence.com
  • newhelper24@protonmail.ch
  • goldmind@tuta.io
  • decrypt24@gytmail.com
  • aihlp24@tuta.io
  • syndicateXXX@aol.com,
  • bkp@cock.li,
  • bestdecoding@cock.li
  • usacode@aol.com,
  • data@decoding.biz,
  • payadobe@yahoo.com,
  • data_recovery_2019@aol.com,
  • sqlbackup2@mail.fr,
  • berserk666@tutanota.com
  • cryptor55@cock.li,
  • amber777king@cock.li,
  • plombiren@hotmail.com,
  • bfiles2@cock.li
  • unblock@badfail.info
  • data@recovery.s
  • crimecrypt@aol.com
  • crimecrypt@airmail.cc
  • dfgkbtprz@aol.com
  • dfgkbtprzvb@aol.com
  • databack2@protonmail.com
  • databack2@airmail.cc
  • how_decrypt@aol.com
  • howdecrypt@aol.com
  • ucos2@elude.in
  • cavefat@tuta.io
  • ripntfs@protonmail.com
  • wecanhelpu@tuta.io
  • wecanhelp2@protonmail.com
  • Bit_decrypt@protonmail.com
  • dayonpay@aol.com
  • dayonpay@goat.si
  • adm15@protonmail.com
  • Seavays@aol.com
  • Keeky@protonmail.com
  • DonovanTudor@aol.com
  • Bitcoin1@foxmail.com
  • Uncleme@cock.li
  • Decryptbots@cock.li
  • support@qbmail.biz
  • Fox5sec@aol.com
  • rsa1024@tutanota.com
  • vivaldicrypt@outlook.com
  • Blackmax@tutanota.com
  • b1tc01n@aol.com
  • [admin@fentex.net
  • ecnrypt98@cock.li
  • recoverysql@protonmail.com
  • DataBack@qbmail.biz
  • amandacerny89@aol.com
  • marjut56@cock.li
  • rsacrypt@aol.com
  • veerafa@airmail.cc
  • jackadams@airmail.cc
  • backdata.company@aol.com
  • catchbtc797@protonmail.com
  • imdecrypt@aol.com
  • Admin@datastex.club
  • admin@spacedatas.com
  • anna.kurtz@protonmail
  • filemgr@tutanota.com
  • decrypt@files.mn
  • Myfilesback@aol.com
  • new2crypt@aol.com
  • 1024back@tuta.io
  • mr.crypteur@protonmail.com
  • Coronavirus@qq.com
  • harma277@gmx.de
  • dryidik@tutanota.com
  • assonmolly5@gmail.com
  • mark_white@mail.ua
  • onioncrypt@aol.com
  • Thomaskey@cock.li
  • supermetasploit@aol.com
  • admin@steldatas.com
  • tcprx@tutanota.com
  • gocrypt@aol.com
  • recoverydata@qbmail.biz
  • tcprx@cock.li
  • abc@countermail.com
  • getthefiles2@protonmail.ch
  • backmydata@protonmail.com
  • blacklivesmatter@qq.com
  • linajamser@aol.com

However, we strongly suggest not to do that. You have absolutely no way of knowing what to expect from this bunch of extortionists and how contacting them might end. It is more reasonable to remove Dharma ransomware and use a free decryptor by Kaspersky. If you continue using your machine with ransomware running on the system, you can put yourself at risk of finding more encrypted data after rebooting the system.

Important information. Speaking of data recovery methods, you can restore your files encrypted by this malware. However, not all versions of the virus have been included in the decryptor's database. Nevertheless, try Rakhni decryptor or ESET Crysis Decryptor to see how it helps. Besides, according to one of the 2-Spyware visitors, he restored his data by using 7-Zip program as a Dharma ransomware decrypt tool. For more information, see the data recovery methods described below the article.

Dharma ransomwareDharma ransomware is a dangerous file-encrypting virus which has numerous versions using different file extensions after encryption.

Dharma ransomware versions described

Oron@india.com ransomware

Oron@india.com ransomware was released as an updated version of Dharma ransomware which was named according to the file extension it uses. Just like any other dangerous ransomware-type infection,[8] it aims to encrypt important files on the targeted computer to gain illegal profits. The easiest way to recognize the ransomware is to check the file extension — documents encoded by this version are appended with [oron@india.com].dharma extension. It consists of two sections: an actual extension and the email address.

An indication of the email is an attempt to urge you to contact the crooks for the decryption tool. However, if you reach them out via oron@india.com, there is a high risk that they will make you pay without giving the decryption key. Thus, we do not recommend following the rules of the attackers. Luckily, you can restore your files using Dharma Decrypter.

Zzzzz ransomware

Zzzzz ransomware is one of the versions sharing identical extensions with the infamous Locky virus. It is not clear whether virus developers took Locky's idea or they decided to use the same extensions to indicate encrypted files is a sheer coincidence. Despite the odds, these viruses are not related and are based on different codes. Nevertheless, this does not make zzzzz files virus any less dangerous than the nasty Locky virus.

The virus is still encrypting files and making them inaccessible. The reason for doing that – making the user pay the ransom payment for the access key. You may use Dharma ransomware decryptor to attempt zzzzz file recovery, but the most important thing is that you remove the virus from your computer to prevent further damage.

Wallet ransomware

Wallet ransomware is appending .wallet file extension to the encrypted files. Ransomware victims are also urged to contact criminals via the given email address amagnus@india.com and these are the only specific details upfront. The virus makes sure the victims are acquainted with the data recovery conditions by replacing the infected computer's desktop with an image of a ransom note.

Besides, extortionists set a 72-hour limit to pay the ransom and claim that, if victims fail to pay in time, the decryption key will be destroyed and they will lose access to their files forever. Of course, there are always alternatives and you don't have to succumb to the criminals' demands. Just scroll down to the end of this article and check our data recovery options for Dharma ransomware virus.

Onion file virus

.onion file virus was spotted in April 2017. The virus has been spreading via malicious email attachments. Once the victim clicks on an infected attachment, malware sneaks inside the system. On the affected device, ransomware starts a system scan and looks for the targeted file types. For data encryption, it has been using a sophisticated algorithm that prevents users from accessing their files.

Ransomware appends the .onion file extension to the encoded documents, PDFs, video, audio, image files, databases, and other popular file types. Nevertheless, the authors of Dharma ransomware virus claim that purchasing decryption software from them is the only option to get back access to your data. However, you should not rely on their words. After the attack, you should focus on malware removal and later look for data recovery possibilities.

Cezar ransomware

Cezar ransomware emerged in the middle of August 2017. It is also known as Cesar ransomware due to a slightly different extension appended to the target data, respectively .cezar or .cesar. The virus suggests writing to btc2017@india.com for instructions on how to recover encrypted files, so it works as a typical Dharma ransomware version.

The aim of the virus is to force the victim to get in touch with cybercriminals and start negotiations regarding data recovery. The criminals will ask you to pay an enormous ransom in Bitcoins and promise you to provide a Dharma decryption key afterward. Unfortunately, criminals cannot be trusted, so we do not recommend you to put too much effort into trying to make them restore your files. Chances are, they might never will.

Combo ransomware

Combo ransomware was discovered only days after the discovery of other threats. This one is different from others because it uses the same email used by the previously known ransomware – Bip. File extensions are called [Broodmother@cock.li].combo or .[combo@tutanota.de].combo which also include email addresses that are provided for letting victims know how to reach Dharma virus developers.

The email appears in typical ransom notes Info.hta and FILES ENCRYPTED.txt. However, as we always note, contacting criminals via Broodmother@cock.li or Combo@tutanota.de is not recommended since it may lead to permanent data loss or infiltration of more severe malware.

Arena ransomware

Arena ransomware is yet another addition to Dharma malware family. The virus was spotted by a security researcher Michael Gillespie on August 23rd, 2017. The new ransomware variants appends traditional extension – .id-[ID].[criminal's email address].arena. The virus then outputs some text in a FILES ENCRYPTED.txt file (known as ransom note).

Dharma Arena ransomwareDharma Arena ransomware is appending .arena file extension.

This version of Dharma ransomware virus has been suggesting contacting the criminals via sindragosa@bigmir.net email address, leaving no hints about the price of the decryption key. Unfortunately, currently, the only tool that could help you restore your files is a data backup. Remove Arena ransomware before trying to plug it into your computer, otherwise, the virus will encrypt files stored on it.

Java ransomware virus

.Java files virus was spreading around the Internet via spam using the subject line “The Request Invoice.” Security experts have been reporting about several new versions attaching these extensions:

  • .id-8-characters.[1778357646@gg.com].java[9]
  • .[decrypthelp@qq.com].java
  • .id-8-characters.[sm@uwmanage.com].java
  • id-8-characters.[pain@onefinedstay.com].java (the variant released in July 2020)

It is believed that there are more than three versions of this Java ransomware spreading on the Internet, so be careful while searching the web and ignore the following message:

Here is the Invoice you requested. Please make sure to print it, sign it and scan it to send it back to us.
Best Regards,
Tim Brooks
Sales Department

This Dharma ransomware version also inflicts quite significant damage to the system. It disables system recovery and deletes shadow volume copies. Though it greatly reduces the number of alternative data recovery options, it is recommended to remove Java virus immediately.

Dharma Java ransomwareDharma Java ransomware is one of the most aggressive examples of the cryptovirus.

Write ransomware virus

.write file extension virus came out after several months of silence. Even though there are not many changes overall, they have switched to using different file extensions and contact email addresses for identity protection. The upgraded variant is appending .write or [files.restore@aol.com].write file extension after encrypting important data that is stored on the targeted system.

Once the victims receive the ransom-demanding message, they are urged to contact the criminals via files.restore@aol.com email address. However, have in mind that criminals will try to persuade you to make the transaction while you have no guarantees of getting Dharma decryptor.

It is important to know that .write file extension virus is currently undecryptable. Although, it doesn't mean that the only way to get back access to your file is to pay the ransom. There are ways how you can recover data without obeying the demands of the crooks. For that, we recommend checking the decryption steps at the end of this article.

Arrow ransomware

.arrow file extension virus was detected at the beginning of March 2018. Virus analysis points out to .cezar version to be its substruction. Although it's not clear the sum of the ransom demanded, it's clear that extortionists can be contacted via GuardBTC@cock.li, Blammo@cock.li or Bitcoin888@cock.li emails. Consequently, it might be referred to as .id-.[].arrow file extension virus and is a clear example that the developers of Crysis/Dharma ransomware are not going to stop.

Bip ransomware

Bip ransomware came out in the middle of March 2018. Alternatively, it has been known as [Beamsell@qq.com].bip file extension. To make data decryption nearly impossible, the virus has been deleting shadow volume copies and then displaying a ransom note on the victim's computer desktop. The encoded files can only be recovered with the help of extra copies of encrypted files (backups) or RakhniDecryptor tool which was developed by Kaspersky.

Dharma Bip ransomware virusDharma ransomware is using AES encryption algorithm to lock target files and make them useless.

Following the encryption procedure, .bip files virus, in fact, drops two ransom notes in Info.hta and FILES ENCRYPTED.txt where victims of ransomware are asked to send an email to Beamsell@qq.comi to get data recovery instructions. It’s unknown how much money Dharma virus developers are asking to pay; however, it’s still not worth paying them. We recommend focusing on Bip removal instead.

Java2018@tutaio.arrow virus

.java2018@tuta io.arrow file extension virus emerged at the end of May 2018. It uses .[email].arrow file extension to the appended files. Immediately after the encryption, ransomware downloads a ransom note where victims are asked to contact crooks immediately. The faster they write, the less they need to pay, according to the ransom note.

Crooks behind this Dharma virus version are using two contact email addresses java2018@tuta.io or java2018@india.com. However, it's not recommended to discuss data recovery possibilities with developers of ransomware. This may not lead to any good. They will ask to pay the ransom, but there are no guarantees that they will let you decrypt files. Hence, it's better to eliminate ransomware from the system.

Brr ransomware

On the second week of September 2018, Brrr ransomware came to light. Files encrypted with .[paydecryption@qq.com].brrr pattern and same two ransom note files as most of the previous versions. Ransom note contains paydecryption@qq.com contact email and an offer to decrypt one file that is smaller than 1Mb. This move is definitely for manipulation and you shouldn't fall for this trick.

Gamma ransomware

Gamma ransomware was detected at the end of 2018 as yet another new version in Dharma/Crysis family. The virus has been relying on a similar pattern as other versions of this family: the virus fails to reveal a certain ransom amount, and actively offers to test the decryption for free. Other features of the Gamma version:

  • The malware is using .id-%ID%.[bebenrowan@aol.com].gamma file extension;
  • Ransomware drops a ransom note in files Info.hta and FILES ENCRYPTED.txt;
  • The contact email that was given to the victim: bebenrowan@aol.com.

Bkp ransomware

In September 2018, Dharma ransomware owners presented yet another version of this malware called Bkp ransomware. As you can guess, files are marked with .bkp file extension and cannot be opened or used. This variant, similarly to other ones, has been delivering the same files for ransom notes with the names Info.hta and FILES ENCRYPTED.txt The contact email provided to the victim is bkp@cock.li, but it can be changed over the time. At the time of writing, there are about 10 known victims affected by this particular version which also remains not decryptable.

Boost ransomware

Boost ransomware came out only a month after the previous versions we spotted on the Internet. This time, a virus is encrypting data by using the AES algorithm and marking those files using a specific pattern – .[boston.crypt@tuta.io].boost. As usual for this ransomware family, FILES ENCRYPTED.txt file with the ransom message gets delivered to folders that contain encoded documents, photos, and other files.

Waifu ransomware

Yet another version from Dharma family that was discovered in October 2018 – Waifu ransomware. The malware encodes user's files and marks them with an appendix that ends with .waifu. Also, contact email darknes@420blaze.it included in this file marker.

Dharma ransomware developers are the ones who have been releasing new versions constantly. As a result, they haven't been changing these viruses much, so it is obvious why this variant is not very different than previously discovered.

BTC ransomware

BTC ransomware came out in October 2018, but this one has more features than other variants. First, the virus has been dropping BTC_DECRYPT_FILES.txt or IDR__BTC_DECRYPT_FILES.txt files as ransom notes that get delivered to the victim's screen right after the file-locking procedure is finished.

The encrypted data can be recovered by buying a Dharma decryptor which costs from 0.5 BTC to 1.5 Bitcoin. Since experts have already spotted several samples of this malware, it is normal that they have noticed several contact emails offered to use for contacting cybercriminals behind the virus: btc@fros.cc; zikr@protonmail.com; zikra@protonmail.com; zikr@usa.com.

FUNNY ransomware

FUNNY ransomware came out at the end of October 2018 as well. This time, only the program window named as the contact email appears on the screen after encryption. The information stated on the window include instructions on how to buy Bitcoins and pay the demanded ransom.

When you write WildMouse@cock. or unlock24@cock.li and ask for the opportunity to decrypt files, the ransom amount should be revealed. It possibly differs from victim to victim, based on the number of files or the valuable information ransomware possibly accessed.

Xxxxx virus

The year of 2018 was a busy year for the Dharma ransomware developers. Xxxxx ransomware was only one of many versions that got released this year. However, this version was the last discovered in October 2018. Not many new information got revealed with this version since it also not changed and resembles other 20+ variants.

Only features that make it different from previous Dharma versions:

  • file marker .id-id.[syndicateXXX@aol.com].xxxxx
  • contact email syndicateXXX@aol.com

Audit ransomware

Audit files virus appeared in November 2018 which came out after infecting several victims out of nowhere. It seems that crooks are still giving 24 hours for victims to reach them via contact email payransom@qq.com. This information alongside the victims' ID and places where you can buy cryptocurrency is delivered with the program window named with the particular contact email.

Tron ransomware

Tron ransomware is a version that was brought at the end of 2018. One of the distinct features belonging to this version of Dharma ransomware is the particular 0.05 BTC ransom amount. The sample that was analyzed revealed this information, but the amount still can differ from victim to victim. However, remember to avoid contacting these criminals and ignore the message with these emails supportjron@gmail.com; xtron@cock.li and follow up with virus removal.

Adobe ransomware

Adobe ransomware is a unique version that came out in November and December 2018. The virus developers have launched several different attacks leading victims to the loss of their files. The affected data is marked with the .adobe file extension, which has also been used by Djvu ransomware.

Possible contact emails used by this particular Dharma version:

  • parambingobam@cock.li
  • bufytufylala@tuta.io
  • youneedfiles@india.com
  • stopencrypt@qq.com
  • btcdecripter@qq.com

Santa ransomware virus

Santa ransomware was released in December 2018. Not much changed as it supposed to be when dealing with this virus family. However, the ransom note that comes in a text file named FILES ENCRYPTED.txt reveals the contact email for the developers – Newsantaclaus@aol.com. A full file marker also includes this email. When documents or photos get encoded, .id-XXXXXXXX.[Newsantaclaus@aol.com].santa shows up at the end of the original name.

Wallet ransomware

Wallet ransomware was the first example spotted in 2019. This malware is using a mixture of AES and RSA encryption algorithms to encrypt data and make it unavailable for use. Files are marked with either .wallet or .wallet.lock appendixes. The ransom note is typical to Dharma ransomware and reveals that the amount of ransom equals from $500 to $1500 worth of cryptocurrency.

Heets ransomware

Heets ransomware showed up in January 2019. When the ransomware attack starts and files get locked, their names are changed to .id-[bestdecoding@cock.li].heets file marker. This way, the victim is informed that he or she is in huge trouble and needs to buy the Dharma decryptor. However, you should always think about whether it is worth spending almost $1000 on the affected data.

The full list of instructions is placed in an HTML window that appears on the desktop and shows possible steps and emails for contacting virus developers – bestdecoding@cock.li; heetsdecoding@cock.li – that should be used to reach out cybercriminals.

Qwex ransomware

Qwex ransomware was reported by Jakub Kroustek The malware injects various files on the system besides FILES ENCRYPTED.txt ransom note or executable. This virus can change startup entries and add a program that disables the security features of the PC. To avoid any interaction with backdata@qq.com and dta@cock.li.

ETH ransomware

ETH ransomware has been affecting computer systems since the beginning of 2019. Our site has also encountered a few users who got victimized by this variant which is adding .ID-[random].[helpfilerestore@india.com].eth to encrypted files that get encoded and became useless as their code was completely scrambled. The ransom note stays the same and is called FILES ENCRYPTED.txt.

Unfortunately, ETH ransomware, just like numerous Dharma versions, is not decryptable. However, do not follow tips given in the ransom note and use helpfilerestore@india.com email address to contact virus developers. You need to avoid contacting people behind the malware and get rid of all the related programs with the anti-malware program since many of them can detect this virus.

Dharma ransomware recently active in Spring 2019Many versions in this family came out in March 2019.

888 ransomware

888 ransomware is one of numerous Dharma variants that is using the name of the USA president in the contact email given to virus victims and mark their encrypted files. If you happen to find .[donald888@mail.fr].888 added to your files, it indicates that your files got encrypted and that you won't be able to use them anymore.

There is also a specific amount of ransom given to virus victims – this version is demanding $500 – $1500 in Bitcoin from its victims for files' recovery. Please, do not for their promises as people you are dealing with are hackers!

Frend ransomware

Frend ransomware appeared in February 2019. When the infection gets into the system, it modifies the entire system with the help of AES or DES ciphers. Additionally, files receive the .frend file extension which changes files' names completely. Additionally, the virus saves FILES ENCRYPTED.txt text file on the computer's desktop that explains for the victims a need to contact hackers via undogdianact1986@aol.com or FobosAmerika@protonmail.ch email addresses. Please, ignore this request and use third-party tools to recover encrypted files.

KARLS ransomware

KARLS ransomware is another virus that was released a few days after previous versions, at the beginning of 2019. This particular threat employs the AES-256 algorithm for the file-locking process and makes data useless to have the reason for money extortion. When data gets .id-[random].karlosdecrypt@outlook.com.KARLS file marker, it can be recovered with the official Dharma ransomware virus decryption tool. However, you need to have a virus-free device before you start these procedures.

AYE ransomware virus

AYE ransomware came out in February 2019 as one of the numerous variants of the Crysis/Dharma ransomware family. The virus acts identically and drops a ransom message called FILES ENCRYPTED.txt right after encrypting files. The message reveals only the contact email and confirms the fact that the system got encrypted and can't be used anymore. Beware that this malware can disable some functions of your machine, so reboot the machine in Safe Mode before scanning it with an antivirus program. Additionally, start files' recovery.

NWA ransomware

The month of March 2019 was not the exception for Dharma activity. Slightly fewer variants than in previous months came out but cybercriminals still became active. NWA ransomware came out with a lengthy file extension ([filename].[original extension].id-[user ID].[dr.crypt@aol.com].NWA) that makes the user notice which files were encoded. The email address to discuss files' recovery is dr.crypt@aol.com.

Unfortunately, ransomware can also alter other files on the system and change preferences of the programs running at the startup. It can also add the executable, called explorer.exe, with additional processes, and disables security programs to make the elimination more difficult.

Korea ransomware

Korea ransomware employs the typical symmetrical AES encryption algorithm and makes users' data useless. All this effort for the purpose of crypto-extortion because users want to get their files back.

Like most of the other versions, it adds a file extension to files that got affected in a pattern – .[omfg@420blaze.it].korea. Discovered almost at the same time as other variants hailing from the Dharma ransomware virus family, this threat automatically launches the HTML window with payment instructions. Additionally, it reveals places where you can buy Bitcoins which is the preferred cryptocurrency for ransomware threats.

Stun ransomware

Stun ransomware showed up just after April fools 2019. This Dharma version was discovered out of nowhere and was analyzed thanks to the samples provided by affected users. Investigations have revealed that this particular ransomware wipes some files and installs programs to various folders of the system.

Ransomware developers have also made additional changes that become clear if you compare two different viruses hailing from the same family. Files, typically marked with .id.[unlockdata@foxmail.com].stun extension, are not the only ones affected by this cryptovirus. For this reason, you need to get a reputable anti-malware program and scan the system fully.

Dec ransomware

This variant came to light in mid-April 2020 and was spotted by security researcher Jakub Kroustek.[10] Just as its predecessors, Dec ransomware uses a similar pattern for data encryption – it employs AES cipher to lock files and modifies their structure in the following way: .id-XXXXXXXX.[email].dec. An example of an encrypted file would look as follows – picture.jpg.id-1E857D00.[de_cryption@tuta.io].dec.

Once data is encrypted, the Dec file virus also delivers a ransom note called FILES ENCRYPTED.txt and a popup window, which holds information about what victims should do next. Allegedly, they are asked to contact criminals via e_cryption@tuta.io or decryption1@protonmail.com emails and then pay cybercriminals ransom for the decryptor. Text version of the note provides a brief description:

all your data has been locked us
You want to return?
write email de_cryption@tuta.io or decryption1@protonmail.com

Unfortunately, just like other newer Dharma variants, Dec ransomware is currently not decryptable, but you can employ third-party tools or use Windows built-in resources to attempt data recovery. Nonetheless, you need to make sure that you first remove Dec ransomware from your machine fully.

Love$ ransomware

Love$ ransomware variant has been detected by a malware researcher Jacob Kroustek in April 2020. It does not deviate from its ancestors. It renders AES encryption and locks non-system files in a similar patter, i.e. it appends a unique ID number, email address, and .love$ extension to the locked file. Consequently, a file previously named as myfiles.doc would be turned to myfiles.doc.id-1E857D00.[im.online@aol.com].love$.

Dharma love$ ransomwareDharma ransomware keeps releasing new variants in 2020. The latest version spot in the wild is known as love$ due to the .love$ extension appended to locked files.

Love$ ransomware version drops a Dharma-typical ransomware note called FILED ENCRYPTED.txt which demands the victim to contact criminals via im.online@aol.com or onlineim@hitler.rocks emails and urge not to initiate manual or automatic changes on the files if permanent file loss is not required. The size of the ransom hasn't yet been specified.

Don't worry, you can return all your files!
If you want to restore them, follow this link: email im.online@aol.com YOUR ID 1E857D00
If you have not been answered via the link within 12 hours, write to us by e-mail:onlineim@hitler.rocks
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

LOL ransomware

LOL ransomware has been first detected in 2017. It's a distinctive feature -.id-xxxxxxxx.[Helpsir@rape.lol].LOL file extension appended to encrypted files. Likewise earlier Dharma versions it takes advantage of malspam campaigns to enter unprotected PCs and then launches the payload to lock personal files. Upon encryption, a victim is presented with a ransom note FILES ENCRYPTED.txt, which instructs the victim to send a reply with a unique ID number and one file to recover to helpsir@rape.lol or bitcoins12@tutanota.com emails.

Based on VirusTotal analysis, the main executable of the LOL (Dharma) ransomware is svchost.ex_[11]. The file mimics the legitimate Svchost.exe file to evade immediate detection and elimination. Nevertheless, 59 AV programs out of 69 are capable of detecting it.

BANG ransomware

BANG ransomware is one of the Dharma 2020 variant, which has been detected at the end of May by Jakub Kroustek. One of the malicious processes of this virus detected under the name payload.exe-retrieved-ca6b7dab175b447a0fb83fc71a09a8f3372def74.tmp have been uploaded to the VirusTotal[12]. 63 AV engines out of 72 are capable of detecting and contaminating it, so if you are one of the ransomware victims whose files have been encrypted by .BANG file extension virus, employ a security tool of your preference, and run a thorough system scan with it.

This new Dharma variant is no less malicious than its ancestors. Its developers exploit spam emails to spread malicious executable files and employ an AES cipher to lock targeted file types. Upon successful uncover of the payload and cipher run, personal files on a host machine get a .bang extension. The suffix is typically preceded by a combination of ID-xxxxxxxx.[gangflsbang@protonmail.ch]. Such files can no longer be opened or modified.

Criminals behind the BANG ransomware virus are using identical ransom note as for earlier Dharma variants. It appears under the FILES ENCRYPTED.txt and contains the following information:

all your data has been locked us
You want to return?
write email gangflsbang@protonmail.ch or gangflsbang@cock.li

Besides, the BANG file-encrypting ransomware changes the desktop background. The image features black and red background with a skull applique and “YOUR FILES ARE ENCRYPTED” slogan. The same background image has been used by most of the Dharma 2020 versions, including .harma, .msplt, .8800, .pay, .news, and .roger. Both note and background provide a contact e-mail gangflsbang@protonmail.ch.

Dharma BANG ransomware virusDharma keeps releasing its variants and one of the latest is recognized by the name BANG.

PayB ransomware

PayB ransomware or .payb file extension virus emerged right after the BANG Dharma variant at the end of spring 2020. It's a copycat version of the previous variant, except two differences, i.e. altered file extension and renewed contact e-mail, which is now paybit@aol.com. Other traits of this ransomware attack are the following:

  • the payload is typically spread via obfuscated email attachments;
  • upon infiltration, it alters Windows registry entries, runs malicious files within system directories, and changes boot sequence;
  • when the virus roots into the OS, it launches the AES cipher and targets the most popular file types for locking;
  • all encrypted files get the extension id-xxxxxxxx.[paybit@aol.com].payB file extension;
  • the desktop background gets changed to the “YOUR FILES ARE ENCRYPTED” image;
  • a Dharma-specific ransom note FILES ENCRYPTED.txt is created;
  • victims are demanded to pay the ransom that varies from $480 to $980 in Bitcoins;
  • criminals use paybit@aol.com email for communication.

Experts recommend people to remove PayB ransomware without a delay if managed to infiltrate the system and lock files. It's a deadly dangerous virus that can cause a severe Windows distortion and lead to crashes. Besides, do not get scared by criminals who share false claims that resisting to pay will lead to permanent file loss. Most of the Dharma variants can be decrypted using an official Crysis decryptor.

Before PayB removal, copy all encrypted files to the USB flash drive or alternative storage and run a scan with AV tool in Safe Mode to get rid of all malicious entries. After that, follow the guide at the end of this post explaining how to get the official decryptor and run the software to decrypt files encoded by .payB file extension.

Ransomware malspam campaigns infect hundreds of users daily

Just like many other ransomware-type viruses, this one takes advantage of naïve computer users and employ phishing[13] techniques to infect the targeted systems. One of the most popular ways is malspam campaigns which trick gullible people to open malicious attachments with the payload of the Dharma ransomware. Despite the information about precautionary measures that help inexperienced computer users protect their systems, many people continue to fall for the same tricks of the attackers.

Dharma cryptovirusDharma cryptovirus has mostly been spreading around with the help of spam.

LesVirus.fr[14] team has prepared tips to avoid ransomware infiltration. We kindly ask you to do the following if you want to protect your computer:

  • If you, yourself, receive an email from some unknown sender, company, or institution, carefully investigate it.
  • Think about whether you expected such an email in the first place if you have no idea why it has reached your email – it might be that you are being targeted by extortionists.
  • In such a case, you should stay away from any attachments that might be added to the email and delete them immediately. Otherwise, Dharma can sneak in its malicious payload with some fake plane ticket, speeding ticket, or any other documents that might look convincing enough to be taken for granted.

Fake ESET AV tool used to distribute versions of Dharma

The more recent campaigns in 2019 revealed more information about the particular Dharma ransomware distribution method. It still involves spam emails and attached files, but it revolves around the installation of a specific AV tool. During this process, cryptovirus can hide its encryption and infiltration activities.

The email itself that delivers such a file states the needed malware elimination or risks on your machine. The system possibly can get damaged if you don't download the program provided in the notification. Of course, the sender poses as Microsoft and claims to be the legitimate support team member.

Unfortunately, when the button DOWNLOAD gets clicked, the password provided in the email is required. Once all those steps are done, the program gets loaded on the system via executable files Defender_nt32_enu.exe or Defender.exe. The old version of ESET AV Remover gets loaded, and during the installation process that needs users' involvement, Dharma distracts the victim from its ransomware activities.

The installation of this security tool and Dharma encryption are not related, and the encryption still happens even when the installation is not executed. The security software installation is included to trick people into thinking that there is nothing malicious happening when the system slowdowns during the download.

Dharma ransomware distribution involves AV toolAV tool installation hides the malicious encryption process of the Dharma cryptovirus.

Removal instructions for Dharma ransomware

It is evident that ransomware-type threats are highly dangerous and tricky. Likewise, people can either get help from an IT specialist or employ a professional Dharma removal software. Note that such cyber infections have numerous components and are able to hide them or disguise them as legitimate system processes.

That is why you cannot remove Dharma ransomware directly and need to complete a few extra steps first before you run the system scan. We have presented these steps down below. Feel free to use them and don’t forget to scan your system automatically afterward! We suggest using one of these tools: SpyHunter 5Combo Cleaner or Malwarebytes. ReimageIntego is great if any virus damage has been made.

Bonus: video clip for help on the Dharma virus elimination process

Since Dharma ransomware has been a widely-distributed cyber threat, we decided to create more accurate removal instructions for this threat with graphical elements. Our goal is to help users to clean, optimize, and refresh their computer systems after the secret infiltration of dangerous malware. If you also are a victim of this notorious file-encrypting cyber threat, take a look at this below-provided video clip and receive a clearer view of the malware elimination process:

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

Getting rid of Dharma virus. Follow these steps

Manual removal using Safe Mode

In order to make the ransomware inactive and let you install the security software, you need to boot your system into Safe Mode with Networking. Here are instructions that will guide you through the process:

Important! →
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.

Step 1. Access Safe Mode with Networking

Manual malware removal should be best performed in the Safe Mode environment. 

Windows 7 / Vista / XP
  1. Click Start > Shutdown > Restart > OK.
  2. When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
  3. Select Safe Mode with Networking from the list. Windows 7/XP
Windows 10 / Windows 8
  1. Right-click on Start button and select Settings.
  2. Scroll down to pick Update & Security.
    Update and security
  3. On the left side of the window, pick Recovery.
  4. Now scroll down to find Advanced Startup section.
  5. Click Restart now.
  6. Select Troubleshoot. Choose an option
  7. Go to Advanced options. Advanced options
  8. Select Startup Settings. Startup settings
  9. Press Restart.
  10. Now press 5 or click 5) Enable Safe Mode with Networking. Enable safe mode

Step 2. Shut down suspicious processes

Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Click on More details.
    Open task manager
  3. Scroll down to Background processes section, and look for anything suspicious.
  4. Right-click and select Open file location.
    Open file location
  5. Go back to the process, right-click and pick End Task.
    End task
  6. Delete the contents of the malicious folder.

Step 3. Check program Startup

  1. Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
  2. Go to Startup tab.
  3. Right-click on the suspicious program and pick Disable.

Step 4. Delete virus files

Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:

  1. Type in Disk Cleanup in Windows search and press Enter.
    Disk cleanup
  2. Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
  3. Scroll through the Files to delete list and select the following:

    Temporary Internet Files
    Recycle Bin
    Temporary files

  4. Pick Clean up system files.
    Delete temp files
  5. You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):


After you are finished, reboot the PC in normal mode.

Remove Dharma using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt
    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Dharma. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with ReimageIntego and make sure that Dharma removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Dharma from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Dharma, you can use several methods to restore them:

Get Data Recovery Pro tool

Experts highly recommend using this recovery software for those who would like to save their time and get back the access to their data automatically. 

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Dharma ransomware;
  • Restore them.

You can recover individual files with Windows Previous Versions feature

Luckily, Windows users can recover individual files encrypted by Dharma right now. The only thing they need is to check that System Restore function has been enabled before ransomware has entered the computer.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Dharma decryptor can work only with some part of ransomware versions

Victims of Dharma ransomware are lucky since security experts discovered a leak in its code and also found numerous decryption keys online. Likewise, Kaspersky Lab has already upgraded Dharma ransomware decryptor which you can download here. Alternatively, try ESET Crysis Decryptor.

In case the decryptor fails to decrypt your files: Recently, our team received a message from a person who said one of his clients got infected with .[oron@india.com].dharma ransomware version. Surprisingly, our site visitor reported that he managed to restore encrypted data archives by extracting them with 7-Zip. We suggest you try this method if you haven't already. You can find the original comment from the visitor in the comments section below.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Dharma and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes

How to prevent from getting ransomware

Choose a proper web browser and improve your safety with a VPN tool

Online spying has got momentum in recent years and people are getting more and more interested in how to protect their privacy online. One of the basic means to add a layer of security – choose the most private and secure web browser. Although web browsers can't grant full privacy protection and security, some of them are much better at sandboxing, HTTPS upgrading, active content blocking, tracking blocking, phishing protection, and similar privacy-oriented features. However, if you want true anonymity, we suggest you employ a powerful Private Internet Access VPN – it can encrypt all the traffic that comes and goes out of your computer, preventing tracking completely.


Lost your files? Use data recovery software

While some files located on any computer are replaceable or useless, others can be extremely valuable. Family photos, work documents, school projects – these are types of files that we don't want to lose. Unfortunately, there are many ways how unexpected data loss can occur: power cuts, Blue Screen of Death errors, hardware failures, crypto-malware attack, or even accidental deletion.

To ensure that all the files remain intact, you should prepare regular data backups. You can choose cloud-based or physical copies you could restore from later in case of a disaster. If your backups were lost as well or you never bothered to prepare any, Data Recovery Pro can be your only hope to retrieve your invaluable files.

About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

Removal guides in other languages