Severity scale:  
  (97/100)

Remove Kharma ransomware (Removal Instructions) - Recovery Instructions Included

removal by Jake Doevan - - | Type: Ransomware

Kharma ransomware is a file locking virus that threatens to delete the key to the locked files on the host machine after seven days

Kharma ransomware
Kharma ransomware is a type of malware that renders all personal files on the host machine useless

Kharma ransomware is a file locking malware that was first spotted in the wild in November 2019 and is a part of the Dharma virus family. The goal of this virus is to make users pay a ransom in Bitcoin or another cryptocurrency for the encrypted data, which is locked with the RSA encryption algorithm,[1] and each of the files is appended with .kharma extension. To let victims know about what happened to their data and how they can recover them, malicious actors behind Kharma ransomware also incorporate two ransom notes – Info.hta and RETURN FILES.txt.

Both notes serve as a message from Kharma virus authors, as users are explained that they need to contact crooks via teammarcy10@cock.li for further instructions. While there is no decryptor for this malware yet, users should avoid reaching cybercriminals as there is a chance to lose not only the encrypted files but also the money.[2] While chances are low, there are other methods that could help victims to recover their data after Kharma ransomware removal.

Name Kharma ransomware
Type Cryptovirus, file locking malware
Malware family The virus belongs to Dharma/Crysis ransomware family, which is among the most prominent ransomware infections in the wild
Infection Ransomware uses several methods for propagation, including infected installers (such as crack tool KMSpico) malicious spam email attachments, weak RDP connections, etc.
Encryption algorithm The virus uses the RSA encryption algorithm to lock all personal data on the device
File extension Each of the files is appended with .[teammarcy10@cock.li].kharma file extension. For example, a picture.jpg is turned into picture.jpg.[teammarcy10@cock.li].kharma and is no longer accessible. Malware skips .exe, .sys and few other file formats, however
Ransom notes  Info.hta (titled “eammarcy10@cock.li” once opened) and RETURN FILES.txt are dropped into each of the affected files' folders – both serve as messages from malicious actors and explain to users how to proceed next
Contact emails  Users can write to teammarcy10@cock.li or justbtcwillhelpu@firemail.cc emails to contact cybercriminals
File decryption  Currently, there is no Kharma ransomware decryptor available. However, users can restore all files from backups (if available) or try using third-party recovery tools – we provide the instructions below
Malware removal  Best way to eliminate the virus is to access Safe Mode with Networking and then scanning the machine with reputable anti-malware software 
Recovery After malware elimination, we suggest scanning the machine with Reimage Reimage Cleaner to fix virus damage and restore Windows registry files

Dharma is an old ransomware family – it was first established in 2016, and since then, dozens of variants were released. Mostly, the malware targets organizations,[3] although regular computer users can also easily get infected with the Kharma virus or another variant of malware.

Kharma ransomware developers use several infection methods for malware propagation, including:

  • Poorly protected RDP conections
  • Spam email attachments
  • Malicious executables, such as KMSpico (it is a crack tool used to unlock full version of MS Office or Windows)
  • Malicious ads.

Once inside the system, Kharma ransomware starts system modification in order to prepare it for the file encryption process. It drops several files on the OS, modifies Windows registry, deletes Shadow Volume Copies, accesses various Windows processes (such as lsass.exe or vssadmin.exe), loads new modules, etc. Once the preparations are complete, Kharma ransomware begins to scan the machine for files to encrypt.

Kharma ransomware encrypts the most popular file types that are used in corporations and by home users, including .pdf, .doc., .txt, .jpg, .mp3, .mpg, .sql, etc. At that point, users lose access to their files, as a strong cryptographic algorithm is applied to them. To retrieve access to data, victims need to acquire a key that is sent to hackers' Command & Control server.[4] According to cybercriminals behind Kharma, users should not tamper with the encrypted data, as they might lose them completely. Besides, in the ransom note, they also mentioned that the decryption key would be deleted after seven days of the infection. 

Kharma ransomware virus
Kharma ransomware is a file locking virus that is usually distributed via unprotected RDP connections, malicious spam email attachments, or pirated software/cracks

Besides the Info.hta file, users can also access a brief version of the note which states:

All your data is encrypted!
for return write to mail:
teammarcy10@cock.li or justbtcwillhelpu@firemail.cc

Paying ransom is extremely risky, as hackers might never send the required decryption software and simply keep the money. Therefore, rather backup all the encrypted data, remove Kharma ransomware with anti-malware that can recognize the malware, attempt to recover files with the help of our instructions below, and, finally, scan your machine with Reimage Reimage Cleaner to ensure a swift recovery after the infection.

Ransomware developers use multiple methods to deliver the malicious payloads

Using several different methods for ransomware delivery simply ensures that more people will get infected, consequently increasing the chances of the ransom being paid. As previously mentioned, users get infected with Dharma variants after downloading a malicious version of a crack tool KMSpico or similar software and run it on their machines in order to bypass the licensing process of MS Office or Windows OS. Pirating software is not only illegal but often brings to malware infections. While most of the users are aware of the risk, they are still willing to proceed with downloading and running software cracks. Therefore, stay away from illegal software installers and key generators/cracks, as these tools are likely to be infected with a secondary payload, such as ransomware.

Security researchers[5] also warn that the built-in Windows feature like Remote Desktop connection can also be used to insert the malware manually. Most of the time, hackers can the internet for poorly protected RDPs, apply thousands of passwords with the help of automated software, brute-forcing the access to the machine, and install the payload manually. To avoid such consequences, users should never use a default TCP port and use complex passwords for these connections.

Kharma ransomware encrypted files
Once Kharma virus finishes file encryption process, none of the data can be accessed anymore

Spam email attachments with embedded malicious macros are also one of the most used ways to propagate ransomware. Crooks compile a phishing email that prompts users to click on a fake .pdf, .doc, .txt, or similar file, which executes commands that lead to download and installation of malware. When dealing with daily emails, make sure that they come from legitimate sources and never allow the document to run macro commands.

Finally, it is also vital to backup all relevant files on a regular basis, ensure Windows is up-to-date, run a comprehensive security solution, and exercise general safe internet browsing practices.

Get rid of Kharma ransomware before trying file restoration process

While there is a way to remove Kharma ransomware manually, it is almost impossible to achieve for regular computer users, as cryptoviruses change the system drastically, dropping multiple files, spawning new processes, etc. Therefore, it is best to get rid of malware and all its components via the anti-malware software scan. In some cases, the virus might interfere with the operation of the security tool – simply access Safe Mode with Networking and perform a full system scan from there. Note, you should backup all the locked files before you eliminate the Kharma virus, as the process might permanently damage the data.

After Kharma ransomware removal is complete and files are backed up, you can try to recover the encrypted data. As previously mentioned, there is no Kharma decryptor available, so the only way is to retrieve files from backups. In case no backups are available, you can try using third-party recovery software or Windows Previous Versions feature as per instructions below.

Offer
do it now!
Download
Reimage Happiness
Guarantee
Download
Reimage Cleaner Happiness
Guarantee
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Reimage Cleaner, submit a question to our support team and provide as much details as possible.
Reimage Reimage Cleaner has a free limited scanner. Reimage Reimage Cleaner offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage Cleaner, try running Combo Cleaner.

To remove Kharma virus, follow these steps:

Remove Kharma using Safe Mode with Networking

Safe Mode with Networking allows to temporarily disable the functionality of malware, allowing security software to delete all the malicious components without interruption:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Kharma

    Log in to your infected account and start the browser. Download Reimage Reimage Cleaner or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Kharma removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Kharma using System Restore

System Restore can also be used when trying to delete the Kharma ransomware:

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Kharma. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage Reimage Cleaner and make sure that Kharma removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Kharma from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Kharma, you can use several methods to restore them:

Data Recovery Pro method might be effective

Data recovery software might sometimes be able to retrieve working copies of files that are hidden inside the HDD. Nevertheless, the more the machine is used post-infection, the fewer chances are to extract data.

  • Download Data Recovery Pro;
  • Follow the steps of Data Recovery Setup and install the program on your computer;
  • Launch it and scan your computer for files encrypted by Kharma ransomware;
  • Restore them.

Make use of Windows Previous Versions feature

In the case of System Restore was enabled prior to the infection, Windows Previous Versions feature might be useful when trying to recover files one-by-one.

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer might save all your files from destruction

If malware failed to remove Shadow Volume Copies, you can use ShadowExplorer and restore all your files.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

No decryption tool is currently available

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Kharma and other ransomwares, use a reputable anti-spyware, such as Reimage Reimage Cleaner , SpyHunter 5Combo Cleaner or Malwarebytes

About the author

Jake Doevan
Jake Doevan - Computer technology expert

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions

References


Your opinion regarding Kharma ransomware