Dharma 2017 Ransomware

The Dharma 2017 Ransomware is an updated version of the Dharma Ransomware, which is, in turn, a derivative of the Crysis Ransomware. These Trojans encrypt your files to block them so that you're forced to pay a ransom to use their decryption software, and include symptoms such as text-based ransoming notes and changes to the names and extensions of your media. Backups and freeware decryptors can assist with recovering any blocked media, and anti-malware software always should be used for removing the Dharma 2017 Ransomware safely.

Your Monthly, Multinational Dharma Ransomware Update

New versions of the Dharma Ransomware branch of the Crysis Ransomware's family are continuing to be active threats trying to encrypt files for quick money throughout the world. One of the latest spikes in activity among this sub-family, the Dharma 2017 Ransomware, is using the '.cesar' extension for its brand identity. Like similar attacks, a Dharma 2017 Ransomware infection places all local media on the PC at risk of being corrupted by its cipher permanently.

The Dharma 2017 Ransomware is circulating through a global campaign targeting multiple countries and continents, as has been the case with past versions of the Dharma Ransomware. It uses an encryption algorithm to encode content such as documents, pictures, and other media and shows no visible symptoms while scanning for files to lock. The Dharma 2017 Ransomware adds a new extension to everything it locks ('.cesar') and also may insert an e-mail address for contacting its admin. These attacks may affect network-mapped drives, as well as local ones.

Malware experts aren't able to confirm any notable changes in the ransom note-related components of the Dharma 2017 Ransomware, which uses Bitcoin-based payments. Since this cryptocurrency requires consent from both sides of the transaction for refunding, any victims who take this method of file recovery also are accepting the risk of paying without getting the decryptor.

Updating Your Security Solutions against Updated Trojans

The Dharma 2017 Ransomware may be circulating through brute-force attacks that crack network logins, which is a tactic of this family verified previously. Malware experts see frequent reports of attacks in Europe especially, although the Dharma 2017 Ransomware infection attempts also are traceable throughout North America, the Middle East and India. Using passwords confirming to basic security standards (multiple cases, combinations of numbers and letters, etc.) can reduce, if not remove completely, the risk of a remote attack brute-forcing their way into a network.

For recovering any blocked content, malware experts always endorse having backups to alleviate any requirement for decrypting a file-blocking Trojan's cipher. However, if they're unavailable, the Dharma 2017 Ransomware does belong to a family of threats with compatible, freeware decryptors, such as the RakhniDecryptor. Copy files before testing them with third-party decoding tools and contact appropriate anti-malware researchers, if necessary, for any in-depth assistance.

Although remote attackers dropping the Dharma 2017 Ransomware during a manual attack could disable any security software, such products can protect your media from other infection methods, such as spam e-mail attachments. Always use anti-malware programs for removing the Dharma 2017 Ransomware and determining the potential presence of other threatening software, such as backdoor Trojans, that a threat actor might install along with it.

As long as companies' and individuals' best security practices stagnate, con artists see little need to update their strategies for compromising PCs. The characters in your password may be inconvenient to remember, but also could be the best defense between your files and the Dharma 2017 Ransomware's encryption.

Update November 28th, 2018 — 'cyberwars@qq.com' Ransomware

A brand-new variant of the Dharma ransomware has been spotted in the wild. Malware researchers isolated a sample of the new Dharma offshoot and are calling it the 'cyberwars@qq.com' Ransomware", as per the encrypted filenames. The new version of Dharma dumps a concise ransom note on the victim’s hard drive and calls it FILES ENCRYPTED.txt. The ransom text is as follows:

"all your data has been locked us
You want to return?
write email cyberwars at qq.com"

The encrypted files appear to receive some new extensions, including a randomly generated numeric ID, cyberwars at qq.com in angle brackets and .war, appended right at the end. There is very little information about any other meaningful differences between this new variant and the older versions of the Dharma ransomware at this point.

Update November 30th, 2018 — 'parambingobam@cock.li' Ransomware

The Dharma Ransomware’s recent popularity does not appear to be dying down, and malware researchers keep on stumbling upon new Dharma Ransomware variants that use the same encryption algorithm. The latest member of the Dharma family has been dubbed ‘parambingobam@cock.li' Ransomware; This file-locker always uses the ‘.adobe’ extension to mark the locked files, but security researchers have identified several samples, which appear to use different email addresses for contact - parambingobam@cock.li, bufytufylala@tuta.io, and mercarinotitia@qq.com. Regardless of the e-mail address used, the files locked by the ransomware will always have the following extension applied to their names– .id-.[EMAIL].adobe.’

The operators of the ‘parambingobam@cock.li' Ransomware may rely on spam emails to propagate their harmful application, but they also might opt to explore other malware propagation channels like pirated software and media, or fake downloads published on various torrent trackers or other peer-to-peer sharing platforms. If a victim ends up downloading and launching the ‘parambingobam@cock.li' Ransomware, they might not see the consequences of this file-locker destructive behavior immediately. This is because the ‘parambingobam@cock.li' Ransomware usually works in the background before it reveals its presence by providing the victim with a ransom note. After the ‘parambingobam@cock.li' Ransomware has been launched, it may need just a few minutes to complete its attack and leave the victim with a massive collection of encrypted documents, photos, videos, songs, archives, database and other files.

When the ‘parambingobam@cock.li' Ransomware’s attack is complete, the file-encryption Trojan will always drop the file ‘FILES ENCRYPTED.txt’ that is meant to provide the victim with data recovery instructions. Unfortunately, the solution offered by the authors of the ‘parambingobam@cock.li' Ransomware is not one you can use – they might demand a significant amount of money in exchange for their decryption service, and we assure you that sending money to anonymous cybercriminals is a thing you should not even consider doing.

Unfortunately, the ‘parambingobam@cock.li' Ransomware is not a decryptable file-locker, and its victims will not be capable of relying on a free decryptor to save their files. Instead, their best option would be to eliminate the ‘parambingobam@cock.li' Ransomware with the help of an updated anti-virus program, and then try out various 3rd-party data recovery utilities.

Technical Details