Severity scale:  
  (98/100)

Remove Harma ransomware (Virus Removal Guide) - Bonus: Decryption Steps

removal by Linas Kiguolis - - | Type: Ransomware

Harma ransomware is a file locking threat that stems from Dharma family

Harma ransomware

Harma ransomware is a type of malware which focuses on locking all personal files on the host machine and then demands ransom payment for the decryption tool. The encryption procedure is typically performed with the help of AES, DES or RSA ciphers,[1] considering the virus hails from a relatively old but one of the most prevalent ransomware families – Dharma.

As soon as data is locked, victims can soon notice the [WSS911@tutanota.com].harma extension appended to each of the photo, music, video, database, document, and other files. Nevertheless, malware skips system and executables, as destroying the system is not hackers' goal but rather to extort money (at least not in this case, although wiper-type[2] ransomware does exist).

After locking all personal files, Harma virus launches a ransom note – a pop-up window that displays the message from hackers. Additionally, a text file RETURN FILES.txt is also dropped, which is essentially a short version of the note. Threat actors explain that victims have to contact them via WSS911@tutanota.com or bigbro1@cock.li email addresses and pay a ransom using Bitcoin cryptocurrency. Additionally, crooks also threaten to delete the key after seven days if no contact is established.

Name Harma
Type Ransomware
File extension [WSS911@tutanota.com].harma
Ransom note RETURN FILES.txt, a pop-up window
Contact WSS911@tutanota.com or bigbro1@cock.li
Distribution  Spam emails, web injects, fake updates, cracks, pirated software, exploits, etc.
Decryption  Only available via backups or third-party tools 
Virus removal Use anti-malware software such as SpyHunter 5Combo Cleaner
Recovery To restore damaged Windows system files and registry, use Reimage Reimage Cleaner

While there is no decryption tool currently available that would be able to decipher encrypted files, victims should not risk losing their money and avoid contacting criminals. After Harma ransomware removal victims can try using alternative recovery methods that involve third-party software or System Restore feature.

There are multiple ways of how Harma ransomware could have infected your computer. For example, many variants of Dharma were spread with the fake Adobe, Microsoft, and other legitimately-looking updates. However, just like any other type of malware, Harma virus can also be spread with the help of exploits, cracked software, hacked sites, spam emails, etc.

Once inside the system, Harma ransomware deletes Shadow Volume snapshots with the help of specific command launched by the virus. Additionally, it also modifies Windows registry to gain persistence and run the malicious tasks at all times.

After file encryption, Harma ransomware drops the following ransom note:

All FILES ENCRYPTED “RSA1024”

All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL WSS911@tutanota.com
IN THE LETTER WRITE YOUR ID, YOUR ID
IF YOU ARE NOT ANSWERED, WRITE TO EMAIL: bigbro1@cock.li
YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON’T PULL TIME, WAITING YOUR EMAIL

FREE DECRYPTION FOR PROOF
You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

DECRYPTION PROCESS:
When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you:
1. Decryption program.
2. Detailed instruction for decryption.
3. And individual keys for decrypting your files.

!WARNING!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

As we already mentioned, do not contact cybercriminals, as they might fail to send you the decryptor. Be aware that they locked your data by using malware – and distributing it is a criminal offense (trusting hackers is the same as trusting thieves in real life). Thus, remove Harma ransomware with anti-malware software and try alternative solutions that might help you to recover your data.

Additionally, to recover from virus damage that was done upon the infection, experts[3] recommend scanning the computer with Reimage Reimage Cleaner – it can restore Windows registry and other damaged system files.

Harma ransomware virus
Harma ransomware is a type of computer virus that focuses on money extortion by locking all user files on the device

Avoid ransomware-type infections by being careful online

It is not a secret that hackers aim to exploit less careful users – and they are doing it successfully for decades now. While some malware distribution methods require no user interaction whatsoever, most infections occur with the help of social engineering. Additionally, unsafe places on the internet, such as Dark Web or sites offering software cracks are the first stops to get infected with ransomware or other threats.

Therefore, to reduce the chance of infection, make sure you follow these tips:

  • Employ robust security software
  • Enable firewall
  • Update your system regularly
  • Enable automatic update feature for all the installed programs on your PC
  • Protect your Remote Desktop connection by using a strong password
  • Avoid websites that offer cracks and keygens, along with pirated software
  • Use ad-blocker
  • Beware that spam email attachments or hyperlinks might be malicious
  • When establishing new software, pick Advanced settings in order to avoid optional applications.

Better do not try to remove Harma ransomware manually

While it is possible to remove Harma ransomware and all its components manually, it is not recommended. Ransomware is a sophisticated threat that affects different parts of the Windows operating system, and regular users will simply not know where to look to delete the malware completely.

Therefore, rather opt for automatic Harma ransomware removal. For that, you should employ an anti-malware solution that would be able to detect this particular version of Dharma. As evident, not all security applications are capable of doing so, so a scan with alternative anti-malware programs might be needed to terminate the threat altogether.

Once you delete Harma virus, you can connect your backups and restore all your files. If you didn't have any backups prepared, use the guide below for alternative recovery methods that might be able to help you, (although chances are relatively low).

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Reimage Cleaner Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Reimage Cleaner, submit a question to our support team and provide as much details as possible.
Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage Cleaner, try running Combo Cleaner.

To remove Harma virus, follow these steps:

Remove Harma using Safe Mode with Networking

If Harma ransomware interferes with your anti-malware software in any way, you should access Safe mode with Networking:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Harma

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Harma removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Harma using System Restore

You can use System Restore to terminate the infection:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Harma. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner and make sure that Harma removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Harma from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Harma, you can use several methods to restore them:

For file recovery, use Data Recovery Pro

This tool might be able to help you recover at least some of your files.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Harma ransomware;
  • Restore them.

Employ Windows Previous Versions feature if you have no backups

This solution is only available for those who had System Restore feature enabled.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

You can use ShadowExplorer for data recovery

If the virus failed to delete Shadow Volume Copies, there is a high chance you will be able to retrieve all your files using ShadowExplorer.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryption tool is currently available for Harma ransomware

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Harma and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Linas Kiguolis
Linas Kiguolis - Expert in social media

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Linas Kiguolis
About the company Esolutions

References


Your opinion regarding Harma ransomware