+30 2106897383 info@tictaclabs.com

Dharma Ransomware

  • Are you a Dharma Ransomware victim?

  • Do you need to recover from a Dharma Ransomware Attack?

  • What can you do when Dharma Virus encryps your files?

  • How  can you avoid a Dharma Ransomware attack?

Dharma Ransomware Profile

Dharma Virus Background

Dharma Ransomware is a cryptovirus first released in 2016. It encrypts users’ files and demands a ransom, in exchange for a decryption key. It is a threat mainly to small and medium-sized enterprises. Dharma Virus has infected many computers around the world.

More specifically, its first appearance was in November 2016, under the name Crysis. However, because the main decryption keys were leaked on the internet, it reappeared after two weeks under the name Dharma. Since 2016, at least 30 variants of Dharma Ransomware have appeared.

For instance, It continued to be renewed during 2019. Its latest file extensions are:
.gif , .AUF, .USA, .xwx, .best, .heets, .DEX, .YOUF, .SWP, .Cvc, .World, .NWA, .ETH, .com., .eth, .bip, .cezar, .cesar.

Moreover, extensive remote work was a challenge for hackers, due to the Covid-19 pandemic in 2020. They find more vulnerable RDPs to attack.

In June 2020, new variants of Dharma ransomware appeared. The most frequently displayed were: .base, .R3f5s, .bad, .HCK, .hlpp, .FRM, .WCH, .club, .PGP, .well, .space, .BOMBO.

Similarly, since mid-July 2020, new identical extensions have been released: .data, .smpl, .felix, .null, .gns, .bmtf, .nhlp, .prnds, .dtbc, .BOOT, .GYGA, .$love και .LOL.

As a conclusion, as Dharma is constantly reappearing with new faces, end-point users should be careful with spam emails and malicious download links.

Dharma Footprint

However, if an attack is eventually made, this cryptovirus invades a company’s files using AES-256 encryption. Before the encryption, CrySIS deletes all the Windows Restore Points, by running the “vssadmin delete shadows /all /quiet” command.

In particular, Dharma (CrySiS) usually leaves ransom notes with names such as:

  • README.txt, README.jpg
  • Your personal data are encrypted!.txt
  • Files encrypted!!.txt
  • info.hta

Any files encrypted with Dharma (CrySiS) Ransomware will have a <id>-<id*** (8 random hex char) >.[ <email>] followed by one of many different extensions attached to the end of the encrypted data file name.

That is, they will usually display the following pattern:
filename.doc.id-[alphanumeric identifier #]. [hacker@email.com]. [dharma variant file extension]

The alphanumeric ID number is a kind of index for the hacker to remember the machines that were encrypted. Here are some examples:

  • .id-A04EBFC2.[bitcoin143@india.com].dharma
  • .id-480EB957.[m.subzero@aol.com].wallet
  • .id-5FF23AFB.[Asmodeum_daemonium@aol.com].onion
  • .id-504ADFDD.[admin@stex777.com].money
  • .id-24C40586.[decrypt@files.mn].Roger

Dharma Virus’ Basic Characteristics

Ransomware Characteristics : File extensions, List of emails, Known scammers

Which domains are targets of Dharma ransomware?

Dharma Ransomware attacks the following directories:

  • %UserProfile%\Desktop
  • %UserProfile%\Downloads
  • %UserProfile%\Documents
  • %UserProfile%\Pictures
  • %UserProfile%\Music
  • %UserProfile%\Videos

How do I know if my company is a Dharma Virus victim?

  • Computers are running too slowly
  • Cannot use anti-virus
  • File extensions change
  • The desktop has suddenly changed
  • A screen message appears, giving info for the encryption of files and the ransom demanded
  • The CPU is fully used, despite the fact that the files and applications are encrypted.

Most common Dharma ransomware methods

Dharma ransomware attack path

Dharma hackers collect files through a Trojan and then they encrypt and send them to a remote C2 server. Malware is delivered through vulnerable RDPs through TCP port 3389. Furthermore, in other cases of RDP attack, Dharma Virus uninstalls every security software before the encryption routine. The hacker may also attempt to invade with administrator privileges, in order to be able to encrypt more files.

In particular, once Dharma Ransomware encrypts a file, it is no longer readable by the victim’s applications until it is decrypted. However, decryption is possible only with the use of necessary decryption key. Only the attacker can provide such a key, after the victim has paid the ransom.

Clearly, each attack leaves room for improvisation, although in general the process from encryption to decryption is the same.

To sum up, organisations that allow employees or vendors to remotely access their networks are at serious risk of being attacked by Dharma Ransomware. The danger is higher if companies do not follow the necessary security policies.

Dharma Ransomware Notes

Dharma Ransomware hacker usually asks for a ransom through a note that appears on the screen. It does this with a simple text note, with a colorful text message, but there may not be a note at all.

Colorful Screen Note

Hackers usually choose the colorful note, which is divided into 4 sections.

Initially, in the first section the victim is informed for not having access to files, due to encryption. They then give instructions to the victim for emailing the address and the unique ID in the subject of the message. In this way the threat agent identifies the victim.

Secondly, attackers try to convince victims that if they pay the ransom, they will provide them a decryption key. Specifically, they do this by decrypting a random file, as proof that they own the necessary tool to decrypt all files.

In the third section, hackers inform the company how to obtain a cryptocurrency to pay the ransom. They choose faster routes, which allow the victim to directly create an account, without any delay.

Last but no least, hackers give recommendations to the company, in order to avoid some common traps. They may advise to not rename the files in the attempt to save them.

Indeed, renaming files does not mean decryption. In addition, they may suggest to not use third-party software to decrypt, because files may be permanently lost. Finally, they recommend to not trust third parties to decrypt the files. In such a case, costs go up further, as these companies offering decryption software, take advantage of the predicament of the victim affected by Dharma.

No Dharma Note

However, there may not be a ransom note at all. This can happen either because the attacker forgot to leave a note, or because the note is at a point where it cannot be found. In such a case, the organisation identify Dharma through files’ extensions.

A summary of Dharma cyber status

What ransom is asked?

Dharma hackers usually demand a lower ransom than the market average. Specifically, in December 2019, the average Dharma ransom demand was only $8,620, while the average was $191,000.

In the third quarter of 2020, the average ransom payment fell even further, reaching $6,683. This is because Dharma Ransomware usually targets small and medium-sized enterprises.

Which is the time-frame of a Dharma incident?

The average time from launching to settling a Dharma ransomware attack is longer than usual, because the negotiations with hackers are done through emails.

However, since this group of cryptovirus targets small networks, the recovery period from such an attack is lower than average. This is because small networks can be fixed faster than larger ones.

In any case, the main objective of the company is to recover immediately and to be operational and productive as quickly as possible. Therefore, any delay is avoided when a company is addressed to experts.

Are my files decrypted if I pay the ransom?

No one can guarantee that after paying the ransom, the hacker will also give the decryption tools. This shows how crucial isin good communication and secure negotiations with the attackers.

Most used attack methods

Hackers focus on bad-protected RDP-Connection (Remote Desktop Protocol). However, it is very common to use phishing emails and target security vulnerabilities.

What should I do if  my files are encrypted by Dharma Ransomware?

How to remove Dharma Ransomware executable files?

Cybersecurity analysts recommend a complete format of every affected encrypted machine. In this way both the executable ransomware file and any other malware are removed. The executable ransomware file is usually easily identifiable and removed through the anti-virus. On the other hand, the malware that assisted the ransomware is difficult to detect.

How to use the Dharma ransomware decryption tool?

If an organization that is victim of Dharma ransomware chooses to pay the ransom, then it will be given the appropriate tools to decrypt the files. This is a complex process in its implementation.

How can we prevent this from happening again?

Preventive Steps

There are some common incorrect security configurations that lead to a ransomware attack. Titac can share some tips to prevent future attacks and encourages companies to conduct a full security assessment as soon as possible. Surely, continuous investment in security is the best antidote to future attacks.

In particular, cybersecurity analysts recommend keeping offline backups, so that files can be retrieved without paying ransoms.

Moreover, attention is also must be paid to the handling of e-mail messages by computer users, as phising mail is a common method of Dharma ransomware attacks.

So, prevention is important, as it is difficult for an organization being attacked to decrypt its files without paying a ransom. There is no method of decrypting the newer variants of Dharma ransomware. Only some pre-2017 variants such as: .dharma, .wallet, .onion .cesar, .bip, are decryptable.

Manage access

As mentioned above, an organisation should ensure that Remote Desktop Services are properly locked. Therefore, there should be a VPN and not a direct connection of computers to the internet. Specifically, only employees with a VPN account on the network should have access to those computers.

In addition to file backups, computer users must have a security program installed on their computers to control their devices and detect threats. For sure, it is very important that users make proper use of the internet and be careful when downloading files and opening attachments from third parties. Moreover, it is recommended that empoloyees download applications and corresponding updates only from official sources.

Users can also scan attachments or ignore them. It is also a good thing to use unique and strong passwords for different sites. Even free decryption tools should be scanned.

Furthermore, Network Level (NLA) authentication offers an additional level of authentication. Multi-factor authentication is also a setting that they should choose.

Change of the RDP port is crucial. In this way, port scanners looking for open RDP ports will lose the ports.

Finally, it is very important that systems are fully up to date.

Without any doubt, the continuous training of employees in cybersecurity threats is really necessary.

Dharma Virus Recovery Experts

Tictac has great experience in negotiating with hackers.

Since there are primarily no free decryption keys for most Dharma variants, do not hesitate to send us an example of the encrypted file in order to do a related check.

Free ransomware rating

To provide you with a free ransomware rating, you need to give us some details e.g. ransom note, example of encrypted file, but also information about your company’s annual budget. By using our database, we will provide you information about the severity of the attack and the decryption options.

  • The type of ransomware will be determined
  • We’ll look for free decryption tools
  • We’ll identify the threat actor.

24×7 Support and response to ransomware incident

Our company has extensive experience in communicating with hackers. In each such incident our objectives are:

  • Secure negotiations
  • Prevention services
  • Transparent communications
  • Identification of risks and outcomes
  • Decrypt files and recovery support
  • Support the process of decrypting/retrieving data.
  • Professional IT support
  • Post-incident monitoring and support

Contact us now to help you in recovering from Dharma Ransomware Attack.