Dharma Ransomware

The Dharma Ransomware is a Trojan that renames and encrypts your files, blocking them until you pay its ransom. Because the Dharma Ransomware may not provide its victims with decryption services, PC owners should try to maintain updated backups on systems that this Trojan can't access. In ideal cases, your anti-malware products should block the Dharma Ransomware and delete it before it can install itself and encode your files.

A Mute File Burglar from the East

The Crysis Ransomware and many of its relatives already bear responsibility for more than a few attacks against both individuals and business networks, but the continuing excavation of new threats shows that they aren't finishing yet. Malware researchers noted similarities with footer information between other CrySiS-based Trojans and the Dharma Ransomware, one of the newest file-encryptor Trojans. Its attacks cause potentially permanent data damage while offering its victims ransom negotiations via e-mail.

There is evidence of the Dharma Ransomware's campaign using only brute force-based infection vectors that allow threat actors to 'guess' weak passwords for a network-accessible machine currently. Although there is documentation of the Dharma Ransomware being able to target hard drives and servers that are network-accessible, this behavior is inconsistent, and some systems may not be affected.

For systems that the Dharma Ransomware does include in its sweep, the Trojan encrypts all files within the Windows users folder and tags them with the '.[email address]dharma' extension. Malware researchers also saw other variations in the Dharma Ransomware's payload, such as sometimes generating a Notepad TXT message on the desktop.

The instructions contain limited information, mostly only redirecting the victim to the previously-mentioned e-mail address for ransoming negotiations. In other cases, the extension is the only 'message' it leaves, requiring you to guess at the threat author's intentions and how to recover your encoded possessions from an uncommunicative Trojan.

Reordering Your PC's Universe According to Personal the Dharma

As derivative as the Dharma Ransomware may be, its payload is efficient at presenting direct damage to both the infected PC and other PCs found through local networking infrastructure. As con artists continue using weak passwords as footholds into business networks, companies should review their password use protocols and remote desktop settings so that they can eliminate any vulnerabilities. While the Crysis Ransomware-compatible decryption tools are available for no charge, malware researchers find the Dharma Ransomware's encryption method incompatible with them.

With luck, the cyber security industry may crack the Dharma Ransomware's encryption algorithm and develop a freeware application for reversing its file damage. Nonetheless, not every Trojan is subject to decryption equally, and keeping backups not vulnerable to attack will give PC users easier ways of recovering any data they've lost.

Many anti-malware products should identify this threat as being a variant of the Crysis Ransomware and be able to remove the Dharma Ransomware during a system scan. However, such protections aren't helpful for victims who inadvertently give third parties complete access to their home or business networks necessarily, inviting a hacker to install and disable whatever software he prefers essentially.

Update November 6th, 2018 — '.tron File Extension' Ransomware

The Dharma Ransomware and its variants continue to be a very prominent threat to the users worldwide, despite a large number of decryption keys that were released by the project’s authors in 2017. One of the newest variants of the Dharma Ransomware is called '.tron File Extension' Ransomware and malware researchers have determined that it is not compatible with any free decryption utilities. This means that if your files fall victim to the '.tron File Extension' Ransomware’s encryption, then their recovery might be a nearly impossible task unless the attackers provide you with a decryption tool and decryption key. However, they are unlikely to do this since their ransom message states that the only way to acquire the key and decryptor is to pay a hefty ransom sum via Bitcoin.

When the '.tron File Extension' Ransomware initializes its attack, it may encrypt a huge variety of files – documents, images, videos, archives, databases, and spreadsheets are just a small fraction of the file types that the '.tron File Extension' Ransomware is meant to encrypt. In addition to this, the '.tron File Extension' Ransomware also will attempt to disable the System Restore service and erase all the Shadow Volume Copies, therefore reducing the efficiency of data recovery software drastically.

All files that the '.tron File Extension' Ransomware locks can be recognized by the 'id-[VICTIM ID].[xtron@cock.li].tron’ that will be appended to their names. The ransom note is dropped on the desktop when the attack is complete, and its contents reveal that the attackers are willing to provide the victim with a decryptor as soon as they receive a certain amount of money via a Bitcoin transaction.

Recovering from the '.tron File Extension' Ransomware’s attack is not easy due to the lack of a free decryptor. The best victims can do is to get rid of the file locker’s files by using a trustworthy anti-virus software suite that will identify and eradicate all corrupted files brought by the ransomware. Unfortunately, this will solve only half of the problem since you will still be left with a large number of decrypted files whose decryption is impossible. The only thing to do with these files is to keep them backed up so that you can use them in case a free decryptor is released.

Update November 5th, 2018 — '.adobe File Extension' Ransomware

The Dharma Ransomware variants have become very common in 2018, and the latest addition to the long list of file-lockers based on the Dharma project is called '.adobe File Extension' Ransomware. As you can probably guess, this ransomware has nothing to do with the software publisher Adobe – it is the product of anonymous cybercriminals who make money by extorting their victims. The extortion happens thanks to the '.adobe File Extension' Ransomware, which is able to encrypt a huge number of files found on the compromised computer swiftly, therefore making it impossible to access their contents. Unfortunately, the '.adobe File Extension' Ransomware uses a secure file-encryption method, which ensures that its victims cannot get their files back for free.

It is likely that the '.adobe File Extension' Ransomware is being propagated with the use of fraudulent emails, which are designed to appear as if they were sent to the victim by a legitimate company or institution. Usually, these emails contain a file attachment, which is said to be important but, in reality, it is a harmful file meant to execute the '.adobe File Extension' Ransomware.

When this ransomware is launched, it will not reveal its activities and presence immediately, therefore giving it a few minutes to complete the attack, which includes:

• Encrypting a broad range of files – documents, photos, videos, songs, spreadsheets, archives, databases, backups and others.
• Renaming the locked files by using the extension ‘.id-[VICTIM ID].[badbusiness@tutanota.de].adobe.’
• Disabling the Windows System Restore.
• Deleting the Shadow Volume Copies and the System Restore points

Following the advice of the '.adobe File Extension' Ransomware’s authors is a bad idea because they may ask you to send a significant amount of money to their Bitcoin wallet. Naturally, the attackers are anonymous, so there is nothing to stop them from taking the money of their victims without providing them with anything in return.

If you are a victim of the '.adobe File Extension' Ransomware, you should use a trustworthy anti-virus tool to dispose of the corrupted files immediately. However, removing the '.adobe File Extension' Ransomware will solve only half of your problems because you will still need to find a way to get your files back – via backup or 3rd-party data recovery software whose success is questionable.

Update November 11th, 2018 — '.back File Extension' Ransomware

The '.back File Extension' Ransomware is a new version of the Dharma Ransomware, which conducts file-locking attacks using encryption. After blocking your media, the Trojan delivers ransom notes with instructions on buying the criminal's help, although the users should restore from backups, instead, if possible. Anti-malware products can protect your files and PC by uninstalling the '.back File Extension' Ransomware or identifying and halting it during the installation routine.

Former USSR Satellites Turning into Extortion Victims

The modern history of Ransomware-as-a-Service has a close and unique relationship with both Russia and the nations near it, such as Kazakhstan and Armenia. It's the latter country that's the current focus of a campaign by the '.back File Extension' Ransomware, which is a new release for the Dharma Ransomware family. While its infection strategies are likely of being opportunistic instead of using geo-targeting, this file-locker Trojan shows that no nation, big or small, is out of the RaaS industry's shadow.

The '.back File Extension' Ransomware and other Dharma Ransomware builds, like the '.cccmn File Extension' Ransomware, the icrypt@cock.li Ransomware, the 'paydecryption@qq.com' Ransomware, and the old 'wisperado@india.com' Ransomware, leverage AES and RSA data encryption against the victim's media. This feature searches for and locks content that includes various formats of general use in both business and casual environments for Windows users, especially documents, pictures, and other visual or audio media. As per its name, the locking process also includes appending a second extension and some ransoming details, although this side effect has no direct correlation with the encryption that keeps the files from opening.

The ID and e-mail that also are part of the filenames are for, in conjunction with the 'wisperado@india.com' Ransomware's TXT-formatted ransoming instructions, promoting the threat actor's decryptor. Such services may or may not provide the unlocking assistance that they promise, and victims should be cautious of the risks of fraud, especially when they're trafficking in cryptocurrency or voucher-based transactions.

Getting Back What's Yours without Paying for It

The modern version of the Dharma Ransomware and its original ancestor, the Crysis Ransomware, is secure against any attempts at developing a free decryption program that the public could use effectively, instead of paying the ransom. Because decryption is, often, impossible, you can stop file-locker Trojans from doing damage to your media most easily by saving backups on other devices. Local backup resources, especially Windows defaults like the Shadow Volume Copies, are targeted for removal by these same threats nearly universally.

Although the '.back File Extension' Ransomware's family remains Windows-based, malware researchers haven't narrowed down its possible infection vectors to any single, definite exploit or infection vector. Threat actors could be breaking into servers by brute-forcing their logins, taking advantage of unsafe RDP and firewall settings, or using exploit kits for compromising PCs through their browsers. However, many anti-malware applications are viable for removing the '.back File Extension' Ransomware and its close relatives, in most cases, before the encryption ever starts.

The '.back File Extension' Ransomware's victims being Armenian may be meaningful data for estimating its favored targets or a statistical anomaly. Hints about the rest of this Trojan campaign's behavior and that of the rest of the Dharma Ransomware family may be appearing around the world, soon.

Update November 30th, 2018 — 'audit@cock.li' Ransomware

The 'audit@cock.li' Ransomware is a new variant of the Dharma Ransomware family, but the only changes it includes are a different file extension to mark the locked files, as well as a different email address for contact. When the 'audit@cock.li' Ransomware completes its attack, it will render a large number of documents, videos, photos, archives, songs and other files inaccessible. In addition to this, the names of the encrypted files will be modified to include the ‘.id-.[audit@cock.li].risk’ extension. Last but not least, the 'audit@cock.li' Ransomware will provide the victim with data recovery instructions by dropping the file ‘FILES ENCRYPTED.txt.’

’All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail audit@cock.li
Write this ID in the title of your message 3A4E114C
In case of no answer in 24 hours write us to theese e-mails:audit@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:

Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.’

The executable file responsible for the 'audit@cock.li' Ransomware’s execution may be spread via fake email messages, which are designed to look as if they were sent by a legitimate company. Often, the email message may urge the user to download a file attachment or an external file that may look safe, but it is meant to execute the 'audit@cock.li' Ransomware and begin the file-encryption attack.

Unfortunately, recovering from the 'audit@cock.li' Ransomware’s attack for free is not possible for the moment due to the secure method used to store the unique encryption key generated for each victim. The operators of the 'audit@cock.li' Ransomware are the only ones in possession of the key in question. Although their ransom message (found in ‘FILES ENCRYPTED.txt) may tell you that you can obtain the decryption key and decryptor in exchange for a ransom payment, we assure you that you should not trust the perpetrators of the attack. Ransomware operators are certainly not known for their honesty, and it is highly possible that the 'audit@cock.li' Ransomware’s authors might trick you if you pay them. Instead of trying to negotiate with ransomware authors, you should use an up-to-date PC security tool to eliminate the harmful files immediately, and then look into alternative file restoration options.

Update December 5th, 2018 — 'admin@decryption.biz' Ransomware

The Dharma Ransomware’s popularity in the last months of 2018 does not appear to be dying out, and malware researchers continue to identify new file-lockers that are based on the Dharma Ransomwarecode. The latest member of the Dharma family is called 'admin@decryption.biz' Ransomware, and it uses the same old file-encryption algorithm, which may be impossible to decipher currently. The only people able to recover files locked by the 'admin@decryption.biz' Ransomware may be the authors of the ransomware but, unfortunately, they are not willing to do this for free.

When this file-encryption Trojan is initialized, it may encrypt the contents of images, videos, documents, archives, spreadsheets, and many other file formats immediately. All the locked files may have the ‘.id-.[admin@decryption.biz’.bkpx’ extension added to their names. Last but not least, the 'admin@decryption.biz' Ransomware will provide the victims with a detailed ransom note, which explains the situation and urges the victim to contact he attackers and complete the ransom payment.

The bad news is that recovering from the 'admin@decryption.biz' Ransomware’s attack is nearly impossible unless you have a backup copy of all your data. Contacting the attackers is not recommended because they may trick you easily even if you meet all their demands. If you are a victim of the 'admin@decryption.biz' Ransomware, then we advise you to ignore the demands of the attackers, because it is way too easy for them to lure you out of your money. You should rely on a reputable anti-virus product to get rid of the 'admin@decryption.biz' Ransomware, and then you should look into alternative data recovery options.

Update December 14th, 2018 — 'skynet45@tutanota.com' Ransomware

The 'skynet45@tutanota.com' Ransomware file-locker has been identified as a member of the Dharma Ransomware family and, sadly, this means that it is not compatible with free decryption utilities. Some of the oldest Dharma variants can be decrypted for free, but this is not the case with recent updates like this one, and we would advise the victims of the 'skynet45@tutanota.com' Ransomware to look for alternative data recovery options.

It is likely that the harmful file that brings the 'skynet45@tutanota.com' Ransomware is being distributed via fake e-mail messages that try to lure the users into downloading a file attachment that has been dressed up as an important and harmless document. Unfortunately, the users who fall for this trick may end up compromising their computer’s safety and start the 'skynet45@tutanota.com' Ransomware unknowingly. This process may lead to the loss of many files since this file-encryption Trojan is programmed to encrypt the contents of images, documents, videos, archives, spreadsheets, presentations, Adobe files, and many other commonly used file types. The victims of the 'skynet45@tutanota.com' Ransomware will have no trouble recognizing the encrypted files because the Ransomware will add the ‘.combo’ extension to their names.

The last stage of the 'skynet45@tutanota.com' Ransomware’s attack leaves the ransom note ‘FILES ENCRYPTED.txt,’ which contains file decryption instructions and payment details. Unfortunately, the crooks behind the 'skynet45@tutanota.com' Ransomware project demand a hefty ransom payment in exchange for their services. However, you should consider accepting their offer because it would be a child’s play for them to take your , but you will not get a decryption service.

If you think that the 'skynet45@tutanota.com' Ransomware has taken your files hostage, then run an anti-virus program to identify and eradicate the harmful files immediately. When this is done, you should recover the locked files from a backup or look for alternative data recovery options if you do not have a backup copy of the files.

Technical Details