Severity scale:  
  (99/100)

Dharma ransomware. 34 Variants listed. 2019 removal instructions

removal by Jake Doevan - - | Type: Ransomware

Dharma is the ransomware virus that is using security software installation as a distraction to hide malicious activities

Dharma ransomware virus
Dharma ransomware virus was discovered in 2016. It keeps updating in 2019. The latest file extensions .gif .AUF, .USA, .xwx, .best, and .heets.

Dharma is a crypto-virus that first struck the world in 2016, and has been reappearing with new versions regularly during the recent years. In the first quarter of 2019, the virus came back with a handful of new versions. The most prevalent variants are using the following extension: .bip, .adobe, .cezar, .combo, .java, .ETH. The malware is still using the AES encryption algorithm to encrypt data and then displaying ransom notes called either Info.hta or FILES ENCRYPTED.txt.

Although the newer samples of this cryptovirus show it is distributed via spam email, these messages deliver different files in the particular campaigns. Researchers revealed new information that malicious actors use downloading links, and when the user clicks on such hyperlink, the password listed in the email itself can be used to get the particular file.

The self-extracting defender.exe file gets installed and drops a malicious file on the system. It appears to be an old version of ESET AV Remover and connects with this Dharma ransomware. This process of the AV tool installation hides other processes like payload dropping and file encryption. Nevertheless, the cryptovirus can still get run even when the AV tool installation is not initiated, and this AV tool can get installed without malicious processes.

Questions about Dharma ransomware virus

These documents are asking to contact developers via provided email address and pay for the decryption service. As long as the Dharma ransomware virus keeps presenting new file extensions, be careful with unknown emails from suspicious senders since the virus still relies on spam when spreading around. Small businesses and bigger organizations should also be cautious – at the end of March 2019, the malware hit a system of the parking lot in Canada.[1] Previously, Dharma ransomware infected Texas hospital[2] and some other organizations.

Summary
Name Dharma virus
Type Ransomware
Danger level High. Makes system changes and encrypts files
Release date 2016
OS affected Windows
Appended file extensions .java, .cesar, .cezar, .wallet, .zzzzz, .dharma, .arrow, .write, .onion, .arrow, .bip, .combo; .brrr; .gamma; .bkp, .like, .gdb, .xxxxx, .AUF, .USA, .xwx, .best, .heets, .adobe, .btc, .qwex, .eth, .air, .888, .amber, .frend, .KARLS, .aqva, .aye, .korea, .plomb, .NWA, .azero, .bk66, .stun, .monro, .funny, .vanss, .betta, .waifu, .bgtx, .adobe, .tron
Ransom note Info.hta and FILES ENCRYPTED.txt
Contact email address
  • decrypthelp@qq.com,
  • files.restore@aol.com,
  • beamsell@qq.com,
  • guardBTC@cock.li,
  • blammo@cock.li,
  • bitcoin888@cock.li,
  • files.restore@aol.com,
  • 1778357646@gg.com,
  • decrypthelp@qq.com,
  • sm@uwmanage.com,
  • java2018@tuta.io,
  • bebenrowan@aol.com,
  • paydecryption@qq.com,
  • bkp@cock.li,
  • getdataback@fros.cc,
  • help@decrypt-files.info,
  • syndicateXXX@aol.com,
  •  bkp@cock.li,
  •  bestdecoding@cock.li,
  •  usacode@aol.com,
  •  data@decoding.biz,
  •  payadobe@yahoo.com,
  •  data_recovery_2019@aol.com,
  •  sqlbackup2@mail.fr,
  •  berserk666@tutanota.com,
  •  cryptor55@cock.li,
  •  amber777king@cock.li,
  •  dr.crypt@aol.com,
  •  aq811@tutanova.com,
  •  plombiren@hotmail.com,
  •  bfiles2@cock.li,
  •  unblock@badfail.info,
  •  anticrypt@countermail.com,
  •  sebekgrime@tutanota.com,
  •  crypted_files@qq.com,
  •  master777@tutanota.com
Distribution Infected email attachments
Data recovery Some versions of the virus can be decrypted with a free RakhniDecryptor
To get rid of Dharma virus, use SpyHunter 5Combo Cleaner. If you are dealing with system errors, install Reimage Reimage Cleaner and run a full system scan. If will fix altered system components, e.g. corrupted system files and registry entries

During the first months of functioning, Dharma ransomware was spreading as an alternative for Crysis ransomware. However, now these viruses are considered to be of a different kind as the most of traits do not match. The ransomware caught attention back in November 2016[3] and was compared with Locky virus.[4] Dharma (.cezar family) and some other versions (Adobe ransomware, Combo ransomware, Java ransomware, Bip ransomware) have proven that the virus is ready for anything.

Since 2016, researchers have revealed more than twenty different Dharma ransomware versions, all of which share many similar features and the main difference is the file extension appended. As time passed, experts have been updating the decryption tool which was launched soon after the first appearance of the virus.[5] However, it seems that victims are not capable of decrypting files encrypted by the latest versions. 

Even though this crypto-malware has been silent for several months now, it seems to be back with several new versions in 2019, including .USA, .xwx, .best .NWA, .ETH, and .com file extensions. If you think that you are infected, don't waste your time because the more time you give to the virus, the more files it can encrypt. Make sure you disconnect your computer from the Internet and scan it with an anti-virus software. Additionally, try Dharma ransomware decryptor (called RakhniDecryptor tool).

Dharma Cezar ransomware
Dharma ransomware - a cryptovirus which has numerous variants that have been actively infecting users behind their back.

On the day of its appearance, security experts didn't know much about Dharma in general and believed it to be one of the new-generation viruses.[6] It seems that the virus developers were trying to keep it as obscure as possible and didn't follow the typical patterns other ransomware creators do.

For instance, the virus did not drop ransom notes or any other additional documents that would let you know about the virus hiding in the system. Also, on the day of virus discovery, November 2016, antivirus utilities did not seem to detect its malicious components, which complicated Dharma ransomware removal significantly. If you think that you are dealing with virus damage caused by this malware, use Reimage Reimage Cleaner to double-check the system.

Virus functionality is used to infect home users and organizations worldwide

At the moment, the most widespread Dharma ransomware version is known to use .eth, .bip, .cezar and .cesar file extensions. Before that, the virus uses the AES encryption algorithm[7] to make files useless and also deletes shadow volume copies of the target files. Having in mind that the malware has already infected medical organizations and huge companies, encrypted data can be vital and its recovery can be related to saved lives.

In fact, there are NUMEROUS versions hailing from the infamous virus family. Not all of them are actively spreading around the globe, but there is no information that any of the following variants is inactive:

  • .cesar
  • .cesar
  • .onion
  • .dharma 
  • .wallet
  • .zzzzz
  • .arena
  • .cezar
  • .java
  • .write
  • .bip
  • .arrow
  • .combo
  • .brrr
  • .gamma
  • .bkp
  • .like
  • .gdb
  • .xxxxx
  • .AUF
  • .USA
  • .xwx
  • .best
  • .heets
  • .adobe
  • .qwex
  • .btc
  • .ETH
  • .air
  • .888
  • .amber
  • .frend
  • .KARLS
  • .aqva
  • .aye
  • .korea
  • .plomb
  • .nwa
  • .xxxxx
  • .funny
  • .monro
  • .vanss
  • .azero
  • .bk66
  • .stun
  • .com
  • .etc.

Once the malware encrypts the victim's files, it drops the brief ransom note on the infected computer, such as this one. As we have already mentioned, the Dharma ransomware virus failed to do that at the beginning of its distribution.

ATTENTION!
At the moment, your system is not protected.
We can fix it and restore files.
To restore the system write to this address:
bitcoin143@india.com

Victims have also reported about seeing this ransom note: 

hallo, our dear friend!
looks like you have some troubles with your security
all your files are now encrypted
using third-party recovering software will corrupt your data
you have only one way to get them back safety – using our decryption tool
to get original decryption tool contact us with email is subject like write your ID which your can find
in name of every encrypted file, also attach to email 3 crypted files.
lavandos@dr.com
It is your interest to respond as soon as possible to ensure the restoration of your files because we won’t keep your decryption keys at our servers more than 72 hours in interest of our security
PS. only in case you don’t receive a response from the first email address within 24 hours, please use this alternative email address lavandos@india.com

As you can see, users are asked to contact the criminals via an email address provided in the note and inquire about the ransom needed to recover the affected files. Apart from the email, you will also see .dharma file extension or similar appendix pinned at the very end of the string. For instance, if your file is labeled as picture.jpg, the affected version of the file will be picture.jpg[email_address].dharma or picture.jpg[files.restore@aol.com].bip.

The email address depends on the Dharma ransomware version, so you can be asked to use bitcoin143@india.com, files.restore@aol.com, worm01@india.com (this virus drops worm.exe file on the system), btc2017@india.com, oron@india.com, or another @india.com, beamsell@qq.com, sindragosa@bigmir.net email address.

However, we strongly suggest not to do that. You have absolutely no way of knowing what to expect from this bunch of extortionists and how contacting them might end. It is more reasonable to remove Dharma ransomware and use free decryptor by Kaspersky. If you continue using your machine with ransomware running on the system, you can put yourself at risk of finding more encrypted data after rebooting the system.

Important information. Speaking of data recovery methods, you can restore your files encrypted by Dharma. However, not all versions of the virus have been included in the decryptor's database. Nevertheless, try Rakhni decryptor or ESET Crysis Decryptor to see how it helps. Besides, according to one of the 2-Spyware visitors, he restored his data by using 7-Zip program as a Dharma ransomware decrypt tool. For more information, see the data recovery methods described below the article.

Dharma ransomware
Dharma ransomware is a dangerous file-encrypting virus which has numerous versions using different file extensions after encryption.

Dharma ransomware versions actively spreading around the globe

Oron@india.com ransomware

Oron@india.com ransomware was released as an updated version of Dharma ransomware which was named according to the file extension it uses. Just like any other dangerous ransomware-type infection,[8] it aims to encrypt important files on the targeted computer to gain illegal profits. The easiest way to recognize the ransomware is to check the file extension — documents encoded by this version are appended with [oron@india.com].dharma extension. It consists of two sections: an actual extension and the email address. 

An indication of the email is an attempt to urge you to contact the crooks for the decryption tool. However, if you reach them out via oron@india.com, there is a high risk that they will make you pay without giving the decryption key. Thus, we do not recommend following the rules of the attackers. Luckily, you can restore your files using Dharma Decrypter. 

Zzzzz ransomware

Zzzzz ransomware is one of the versions sharing identical extensions with the infamous Locky virus. It is not clear whether virus developers took Locky's idea or they decided to use the same extensions to indicate encrypted files is a sheer coincidence. Despite the odds, these viruses are not related and are based on different codes. Nevertheless, this does not make zzzzz files virus any less dangerous than the nasty Locky virus.

The virus is still encrypting files and making them inaccessible. The reason for doing that – making the user pay the ransom payment for the access key. You may use Dharma ransomware decryptor to attempt zzzzz file recovery, but the most important thing is that you remove the virus from your computer to prevent further damage.

Wallet ransomware

Wallet ransomware is appending .wallet file extension to the encrypted files. Ransomware victims are also urged to contact criminals via the given email address amagnus@india.com and these are the only specific details upfront. The virus makes sure the victims are acquainted with the data recovery conditions by replacing the infected computer's desktop with an image of a ransom note.

Besides, extortionists set a 72-hour limit to pay the ransom and claim that, if victims fail to pay in time, the decryption key will be destroyed and they will lose access to their files forever. Of course, there are always alternatives and you don't have to succumb to the criminals' demands. Just scroll down to the end of this article and check our data recovery options for Dharma ransomware virus.

Onion file virus

.onion file virus was spotted in April 2017. The virus has been spreading via malicious email attachments. Once the victim clicks on an infected attachment, malware sneaks inside the system. On the affected device, ransomware starts a system scan and looks for the targeted file types. For data encryption, it has been using a sophisticated algorithm that prevents users from accessing their files.

Ransomware appends the .onion file extension to the encoded documents, PDFs, video, audio, image files, databases, and other popular file types. Nevertheless, the authors of Dharma ransomware virus claim that purchasing decryption software from them is the only option to get back access to your data. However, you should not rely on their words. After the attack, you should focus on malware removal and later look for data recovery possibilities.

Cezar ransomware

Cezar ransomware emerged in the middle of August 2017. It is also known as Cesar ransomware due to a slightly different extension appended to the target data, respectively .cezar or .cesar. The virus suggests writing to btc2017@india.com for instructions on how to recover encrypted files, so it works as a typical Dharma ransomware version.

The aim of the virus is to force the victim to get in touch with cybercriminals and start negotiations regarding data recovery. The criminals will ask you to pay an enormous ransom in Bitcoins and promise you to provide a Dharma decryption key afterward. Unfortunately, criminals cannot be trusted, so we do not recommend you to put too much effort into trying to make them restore your files. Chances are, they might never will.

Combo ransomware

Combo ransomware was discovered only days after the discovery of other threats. This one is different from others because it uses the same email used by the previously known ransomware – Bip. File extensions are called [Broodmother@cock.li].combo or .[combo@tutanota.de].combo which also include email addresses that are provided for letting victims know how to reach Dharma virus developers.

The email appears in typical ransom notes Info.hta and FILES ENCRYPTED.txt. However, as we always note, contacting criminals via Broodmother@cock.li or Combo@tutanota.de is not recommended since it may lead to permanent data loss or infiltration of more severe malware.

Arena ransomware

Arena ransomware is yet another addition to Dharma malware family. The virus was spotted by a security researcher Michael Gillespie on August 23rd, 2017. The new ransomware variants appends traditional extension – .id-[ID].[criminal's email address].arena. The virus then outputs some text in a FILES ENCRYPTED.txt file (known as ransom note).

Dharma Arena ransomware

This version of Dharma ransomware virus has been suggesting contacting the criminals via sindragosa@bigmir.net email address, leaving no hints about the price of the decryption key. Unfortunately, currently, the only tool that could help you restore your files is a data backup. Remove Arena ransomware before trying to plug it into your computer, otherwise, the virus will encrypt files stored on it.

Java ransomware virus

.Java files virus was spreading around the Internet via spam using the subject line “The Request Invoice.” Security experts have been reporting about several new versions attaching these extensions: 

  • .id-8-characters.[1778357646@gg.com].java[9]
  • .[decrypthelp@qq.com].java
  • .id-8-characters.[sm@uwmanage.com].java

It is believed that there are more than three versions of this Java ransomware spreading on the Internet, so be careful while searching the web and ignore the following message:

Here is the Invoice you requested. Please make sure to print it, sign it and scan it to send it back to us.
Best Regards,
Tim Brooks
Sales Department

This Dharma ransomware version also inflicts quite significant damage to the system. It disables system recovery and deletes shadow volume copies. Though it greatly reduces the number of alternative data recovery options, it is recommended to remove Java virus immediately.

Dharma Java ransomware
Dharma Java ransomware is one of the most aggressive examples of the cryptovirus.

Write ransomware virus

.write file extension virus came out after several months of silence. Even though there are not many changes overall, they have switched to using different file extension and contact email address for identity protection. The upgraded variant is appending .write or [files.restore@aol.com].write file extension after encrypting important data which is stored on the targeted system. 

Once the victims receive the ransom-demanding message, they are urged to contact the criminals via files.restore@aol.com email address. However, have in mind that criminals will try to persuade you to make the transaction while you have no guarantees of getting Dharma decryptor.

It is important to know that .write file extension virus is currently undecryptable. Although, it doesn't mean that the only way to get back access to your file is to pay the ransom. There are ways how you can recover data without obeying the demands of the crooks. For that, we recommend checking the decryption steps at the end of this article.

Arrow ransomware

.arrow file extension virus was detected at the beginning of March 2018. Virus analysis points out to .cezar version to be its substruction. Although it's not clear the sum of the ransom demanded, it's clear that extortionists can be contacted via GuardBTC@cock.li, Blammo@cock.li or Bitcoin888@cock.li emails. Consequently, it might be referred to as .id-.[].arrow file extension virus and is a clear example that the developers of Crysis/Dharma ransomware are not going to stop.

Bip ransomware

Bip ransomware came out in the middle of March 2018. Alternatively, it has been known as [Beamsell@qq.com].bip file extension. To make data decryption nearly impossible, the virus has been deleting shadow volume copies and then displaying a ransom note on the victim's computer desktop. The encoded files can only be recovered with the help of extra copies of encrypted files (backups) or RakhniDecryptor tool which was developed by Kaspersky. 

Dharma Bip ransomware virus
Dharma ransomware is using AES encryption algorithm to lock target files and make them useless.

Following the encryption procedure, .bip files virus, in fact, drops two ransom notes in Info.hta and FILES ENCRYPTED.txt where victims of ransomware are asked to send an email to Beamsell@qq.comi to get data recovery instructions. It’s unknown how much money Dharma virus developers are asking to pay; however, it’s still not worth paying them. We recommend focusing on Bip removal instead.

Java2018@tutaio.arrow virus

.java2018@tuta io.arrow file extension virus emerged at the end of May 2018. It uses .[email].arrow file extension to the appended files. Immediately after the encryption, ransomware downloads a ransom note where victims are asked to contact crooks immediately. The faster they write, the less they need to pay, according to the ransom note.

Crooks behind this Dharma virus version are using two contact email addresses java2018@tuta.io or java2018@india.com. However, it's not recommended to discuss data recovery possibilities with developers of ransomware. This may not lead to any good. They will ask to pay the ransom, but there are no guarantees that they will let you decrypt files. Hence, it's better to eliminate ransomware from the system.

Brr ransomware

On the second week of September 2018, Brrr ransomware came to light. Files encrypted with .[paydecryption@qq.com].brrr pattern and same two ransom note files as most of the previous versions. Ransom note contains paydecryption@qq.com contact email and an offer to decrypt one file that is smaller than 1Mb. This move is definitely for manipulation and you shouldn't fall for this trick.

Gamma ransomware

Gamma ransomware was detected at the end of 2018 as yet another new version in Dharma/Crysis family. The virus has been relying on a similar pattern as other versions of this family: the virus fails to reveal a certain ransom amount, and actively offers to test the decryption for free. Other features of the Gamma version:

  • The malware is using .id-%ID%.[bebenrowan@aol.com].gamma file extension;
  • Ransomware drops a ransom note in files Info.hta and FILES ENCRYPTED.txt;
  • The contact email that was given to the victim: bebenrowan@aol.com.

Bkp ransomware

In September 2018, Dharma ransomware owners presented yet another version of this malware called Bkp ransomware. As you can guess, files are marked with .bkp file extension and cannot be opened or used. This variant, similarly to other ones, has been delivering the same files for ransom notes with the names Info.hta and FILES ENCRYPTED.txt The contact email provided to the victim is bkp@cock.li, but it can be changed over the time. At the time of writing, there are about 10 known victims affected by this particular version which also remains not decryptable.

Boost ransomware

Boost ransomware came out only a month after the previous versions we spotted on the Internet. This time, a virus is encrypting data by using the AES algorithm and marking those files using a specific pattern – .[boston.crypt@tuta.io].boost. As usual for this ransomware family, FILES ENCRYPTED.txt file with the ransom message gets delivered to folders that contain encoded documents, photos, and other files.

Waifu ransomware

Yet another version from Dharma family that was discovered in October 2018 –  Waifu ransomware. The malware encodes user's files and marks them with an appendix that ends with .waifu. Also, contact email darknes@420blaze.it included in this file marker. 

Dharma ransomware developers are the ones who have been releasing new versions constantly. As a result, they haven't been changing these viruses much, so it is obvious why this variant is not very different than previously discovered. 

BTC ransomware

BTC ransomware came out in October 2018, but this one has more features than other variants. First, the virus has been dropping BTC_DECRYPT_FILES.txt or IDR__BTC_DECRYPT_FILES.txt files as ransom notes that get delivered to the victim's screen right after the file-locking procedure is finished.

The encrypted data can be recovered by buying a Dharma decryptor which costs from 0.5 BTC to 1.5 Bitcoin. Since experts have already spotted several samples of this malware, it is normal that they have noticed several contact emails offered to use for contacting cybercriminals behind the virus: btc@fros.cc; zikr@protonmail.com; zikra@protonmail.com; zikr@usa.com.

FUNNY ransomware

FUNNY ransomware came out at the end of October 2018 as well. This time, only the program window named as the contact email appears on the screen after encryption. The information stated on the window include instructions on how to buy Bitcoins and pay the demanded ransom.

When you write WildMouse@cock. or unlock24@cock.li and ask for the opportunity to decrypt files, the ransom amount should be revealed. It possibly differs from victim to victim, based on the number of files or the valuable information ransomware possibly accessed. 

Xxxxx virus

The year of 2018 was a busy year for the Dharma ransomware developers. Xxxxx ransomware was only one of many versions that got released this year. However, this version was the last discovered in October 2018. Not many new information got revealed with this version since it also not changed and resembles other 20+ variants.

Only features that make it different from previous Dharma versions:

  • file marker .id-id.[syndicateXXX@aol.com].xxxxx
  • contact email syndicateXXX@aol.com

Audit ransomware

Audit files virus appeared in November 2018 which came out after infecting several victims out of nowhere. It seems that crooks are still giving 24 hours for victims to reach them via contact email payransom@qq.com. This information alongside the victims' ID and places where you can buy cryptocurrency is delivered with the program window named with the particular contact email.

Tron ransomware

Tron ransomware is a slightly new version of Dharma family that was brought at the end of 2018. One of the distinct features belonging to this version of Dharma ransomware is the particular 0.05 BTC ransom amount. The sample that was analyzed revealed this information, but the amount still can differ from victim to victim. However, remember to avoid contacting these criminals and ignore the message with these emails supportjron@gmail.com; xtron@cock.li and follow up with virus removal.

Adobe ransomware

Adobe ransomware is a unique version that came out in November and December 2018. The virus developers have launched several different attacks leading victims to the loss of their files. The affected data is marked with the .adobe file extension, which has also been used by Djvu ransomware.

Possible contact emails used by this particular Dharma version:

  • parambingobam@cock.li
  • bufytufylala@tuta.io
  • youneedfiles@india.com
  • stopencrypt@qq.com
  • btcdecripter@qq.com

Santa ransomware virus

Santa ransomware was released in December 2018. Not much changed as it supposed to be when dealing with this virus family. However, the ransom note that comes in a text file named FILES ENCRYPTED.txt reveals the contact email for the developers – Newsantaclaus@aol.com. A full file marker also includes this email. When documents or photos get encoded, .id-XXXXXXXX.[Newsantaclaus@aol.com].santa shows up at the end of the original name.

Wallet ransomware

Wallet ransomware was the first example spotted in 2019. This malware is using a mixture of AES and RSA encryption algorithms to encrypt data and make it unavailable for use. Files are marked with either .wallet or .wallet.lock appendixes. The ransom note is typical to Dharma ransomware and reveals that the amount of ransom equals from $500 to $1500 worth of cryptocurrency.

Heets ransomware

Heets ransomware showed up in January 2019. When the ransomware attack starts and files get locked, their names are changed to .id-[bestdecoding@cock.li].heets file marker. This way, the victim is informed that he or she is in huge trouble and needs to buy the Dharma decryptor. However, you should always think about whether it is worth spending almost $1000 on the affected data.

The full list of instructions is placed in an HTML window that appears on the desktop and shows possible steps and emails for contacting virus developers – bestdecoding@cock.li; heetsdecoding@cock.li – that should be used to reach out cybercriminals.

Qwex ransomware

Qwex ransomware was reported by Jakub Kroustek The malware injects various files on the system besides FILES ENCRYPTED.txt ransom note or executable. This virus can change startup entries and add a program that disables the security features of the PC. To avoid any interaction with backdata@qq.com and dta@cock.li.

ETH ransomware

ETH ransomware has been affecting computer systems since the beginning of 2019. Our site has also encountered a few users who got victimized by this variant which is adding .ID-[random].[helpfilerestore@india.com].eth to encrypted files that get encoded and became useless as their code was completely scrambled. The ransom note stays the same and is called FILES ENCRYPTED.txt. 

Unfortunately, ETH ransomware, just like numerous Dharma versions, is not decryptable. However, do not follow tips given in the ransom note and use helpfilerestore@india.com email address to contact virus developers. You need to avoid contacting people behind the malware and get rid of all the related programs with the anti-malware program since many of them can detect this virus.

Dharma ransomware recently active in Spring 2019
Many versions in this family came out in March 2019.

888 ransomware

888 ransomware is one of numerous Dharma variants that is using the name of the USA president in the contact email given to virus victims and mark their encrypted files. If you happen to find .[donald888@mail.fr].888 added to your files, it indicates that your files got encrypted and that you won't be able to use them anymore.

There is also a specific amount of ransom given to virus victims – this version is demanding $500 – $1500 in Bitcoin from its victims for files' recovery. Please, do not for their promises as people you are dealing with are hackers! 

Frend ransomware

Frend ransomware appeared in February 2019. When the infection gets into the system, it modifies the entire system with the help of AES or DES ciphers. Additionally, files receive the .frend file extension which changes files' names completely. Additionally, the virus saves FILES ENCRYPTED.txt text file on the computer's desktop that explains for the victims a need to contact hackers via undogdianact1986@aol.com or FobosAmerika@protonmail.ch email addresses. Please, ignore this request and use third-party tools to recover encrypted files.

KARLS ransomware

KARLS ransomware is another virus that was released a few days after previous versions, at the beginning of 2019. This particular threat employs the AES-256 algorithm for the file-locking process and makes data useless to have the reason for money extortion. When data gets .id-[random].karlosdecrypt@outlook.com.KARLS file marker, it can be recovered with the official Dharma ransomware virus decryption tool. However, you need to have a virus-free device before you start these procedures.

AYE ransomware virus

AYE ransomware came out in February 2019 as one of the numerous variants of the Crysis/Dharma ransomware family. The virus acts identically and drops a ransom message called FILES ENCRYPTED.txt right after encrypting files. The message reveals only the contact email and confirms the fact that the system got encrypted and can't be used anymore. Beware that this malware can disable some functions of your machine, so reboot the machine in Safe Mode before scanning it with an antivirus program. Additionally, start files' recovery.

NWA ransomware

The month of March 2019 was not the exception for Dharma activity. Slightly fewer variants than in previous months came out but cybercriminals still became active. NWA ransomware came out with a lengthy file extension ([filename].[original extension].id-[user ID].[dr.crypt@aol.com].NWA) that makes the user notice which files were encoded. The email address to discuss files' recovery is dr.crypt@aol.com.

Unfortunately, ransomware can also alter other files on the system and change preferences of the programs running at the startup. It can also add the executable, called explorer.exe, with additional processes, and disables security programs to make the elimination more difficult.

Korea ransomware

Korea ransomware employs the typical symmetrical AES encryption algorithm and makes users' data useless. All this effort for the purpose of crypto-extortion because users want to get their files back. 

Like most of the other versions, it adds a file extension to files that got affected in a pattern – .[omfg@420blaze.it].korea. Discovered almost at the same time as other variants hailing from the Dharma ransomware virus family, this threat automatically launches the HTML window with payment instructions. Additionally, it reveals places where you can buy Bitcoins which is the preferred cryptocurrency for ransomware threats.

Stun ransomware

Stun ransomware showed up just after April fools 2019. This Dharma version was discovered out of nowhere and was analyzed thanks to the samples provided by affected users. Investigations have revealed that this particular ransomware wipes some files and installs programs to various folders of the system.

Ransomware developers have also made additional changes that become clear if you compare two different viruses hailing from the same family. Files, typically marked with .id.[unlockdata@foxmail.com].stun extension, are not the only ones affected by this cryptovirus. For this reason, you need to get a reputable anti-malware program and scan the system fully.

Suspicious email attachments – the main way to distribute ransomware executable

Just like many other ransomware-type viruses, this one takes advantage of naive computer users and employ phishing[10] techniques to infect the targeted systems. One of the most popular ways is malspam campaigns which trick gullible people to open malicious attachments with the payload of the Dharma ransomware. Despite the information about precautionary measures which help inexperienced computer users protect their systems, many people continue to fall for the same tricks of the attackers.

Dharma cryptovirus
Dharma cryptovirus has mostly been spreading around with the help of spam.

LesVirus.fr[11] team has prepared tips to avoid ransomware infiltration. We kindly ask you to do the following if you want to protect your computer:

  • If you, yourself, receive an email from some unknown sender, company or institution, carefully investigate it.
  • Think about whether you expected such an email in the first place if you have no idea why it has reached your email – it might be that you are being targeted by extortionists.
  • In such a case, you should stay away from any attachments that might be added to the email and delete it immediately. Otherwise, Dharma can sneak in its malicious payload with some fake plane ticket, speeding ticket or any other documents that might look convincing enough to be taken for granted.

Particular AV tool installation hides malicious payload dropping and encrypting processes

The more recent campaigns in 2019 revealed more information about the particular Dharma ransomware distribution method. It still involves spam emails and attached files, but it revolves around the installation of a specific AV tool. During this process, cryptovirus can hide its encryption and infiltration activities.

The email itself that delivers such a file states about the needed malware elimination or risks on your machine. The system possibly can get damaged if you don't download the program provided in the notification. Of course, the sender poses as Microsoft and claims to be the legitimate support team member.

Unfortunately, when the button DOWNLOAD gets clicked, the password provided in the email is required. Once all those steps are done, the program gets loaded on the system via executable files Defender_nt32_enu.exe or Defender.exe. The old version of ESET AV Remover gets loaded, and during the installation process that needs users' involvement, Dharma distracts the victim from its ransomware activities.

The installation of this security tool and Dharma encryption are not related, and the encryption still happens even when the installation is not executed. The security software installation is included to trick people into thinking that there is nothing malicious happening when the system slowdowns during the download.

Dharma ransomware distribution involves AV tool
AV tool installation hides the malicious encryption process of the Dharma cryptovirus.

Removal instructions for Dharma ransomware

It is evident that ransomware-type threats are highly dangerous and tricky. Likewise, people can either get help from an IT specialist or employ a professional Dharma removal software. Note that such cyber infections have numerous components and are able to hide them or disguise them as legitimate system processes.

That is why you cannot remove Dharma ransomware directly and need to complete a few extra steps first before you run the system scan. We have presented these steps down below. Feel free to use them and don’t forget to scan your system automatically afterward! We suggest using one of these tools: SpyHunter 5Combo Cleaner or MalwarebytesReimage Reimage Cleaner is great if any virus damage has been made.

Bonus: video clip for help on the Dharma virus elimination process

Since Dharma ransomware has been a widely-distributed cyber threat, we decided to create more accurate removal instructions for this threat with graphical elements. Our goal is to help users to clean, optimize, and refresh their computer systems after secret infiltration of dangerous malware. If you also are a victim of this notorious file-encrypting cyber threat, take a look at this below-provided video clip and receive a clearer view on the malware elimination process:

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Reimage Cleaner Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Reimage Cleaner, submit a question to our support team and provide as much details as possible.
Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage Cleaner, try running Combo Cleaner.
Dharma ransomware virus snapshot
Dharma Bip ransomware

To remove Dharma virus, follow these steps:

Remove Dharma using Safe Mode with Networking

In order to make the ransomware inactive and let you install the security software, you need to boot your system into Safe Mode with Networking. Here are instructions which will guide you through the process:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Dharma

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Dharma removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Dharma using System Restore

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Dharma. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner and make sure that Dharma removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Dharma from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Dharma, you can use several methods to restore them:

Get Data Recovery Pro tool

Experts highly recommend using this recovery software for those who would like to save their time and get back the access to their data automatically. 

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Dharma ransomware;
  • Restore them.

You can recover individual files with Windows Previous Versions feature

Luckily, Windows users can recover individual files encrypted by Dharma right now. The only thing they need is to check that System Restore function has been enabled before ransomware has entered the computer.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

Dharma decryptor can work only with some part of ransomware versions

Victims of Dharma ransomware are lucky since security experts discovered a leak in its code and also found numerous decryption keys online. Likewise, Kaspersky Lab has already upgraded Dharma ransomware decryptor which you can download here. Alternatively, try ESET Crysis Decryptor.

In case the decryptor fails to decrypt your files: Recently, our team received a message from a person who said one of his clients got infected with .[oron@india.com].dharma ransomware version. Surprisingly, our site visitor reported that he managed to restore encrypted data archives by extracting them with 7-Zip. We suggest you try this method if you haven't already. You can find the original comment from the visitor in the comments section below.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Dharma and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

References

Removal guides in other languages


  1. Ebbie Millton says:
    December 30th, 2016 at 9:21 am

    Well this virus escalated from an obscure little parasite. I still remember when it first came out

  2. PweDiepie says:
    December 30th, 2016 at 9:22 am

    What a spiritual title for such a nasty parasite

  3. Sean Venter says:
    February 23rd, 2017 at 3:30 am

    I had a client that got this infection on their accounting server and because they havent noticed the infection it encrypted all files on their backup hard disk drives that they rotate on a daily basis. So they have lost all their data. As I started to reinstall everything I right clicked on one of the encrypted backup zip files that had the extension .[oron@india.com].dharma and I managed to open it with 7 ZIP. and I managed to extract all of their backups from the latest zip file!!!. Dont know if it is a bug in the virus but somehow all the zip files on the external hard disk drive have the .[oron@india.com].dharma extension but I am able to extract the data with 7 ZIP. Hope this helps anybody as this is really a serious virus infection.

  4. 2spyware says:
    February 23rd, 2017 at 4:16 am

    Dear Sean, thank you for your information. It will definitely help for infected users!

Your opinion regarding Dharma ransomware virus