Dharma ransomware encrypts files and marks them using .C1024, .ver, ,c0v, .CLEAN, .TOR extensionsThe list of known DHARMA ransomware variants (extensions + e-mails list)Threat SummaryDHARMA ransomware modus operandi overview (encryption explained)Amount of money demanded to unlock dataCrySis ransomware spread sourcesAttackers use an imitation of ESET AV Remover to distribute .ETH file extension virusDharma ransomware removal and decryption process explained
The Dharma ransomware family has been attacking computer users worldwide since its first appearance in 2016. The virus mainly targets Windows systems. This ransomware is known to be sold as as a toolkit on the dark web. In other words, it uses ransomware-as-a-service (RaaS) model, which enables even low-skilled cybercriminals to join its distribution. The affiliates can purchase the toolkit which allows limited customisations to the malware. As it is usual in RaaS schemes, the criminal can customise the ransom note content, contact email addresses and file extension used in the attacks. This explains why there is a countless number of Dharma/CrySiS ransomware versions and so many different extension/email address combinations.
The list of known DHARMA ransomware variants (extensions + e-mails list)
The latest spotted Dharma variant is using .C1024 extension. As mentioned previously, this file-encrypting virus family is exceptionally large since the ransomware is offered as a toolkit for cybercriminals in the dark web forums. It means that anyone can purchase the toolkit and release new variants every day or even a few times per day. Our team tracks the new releases and updates this list frequently. Here is the list of the latest ransomware file extension/email combinations used in attacks: .SMPL (crimecrypt@aol.com, crimecrypt@airmail.cc), .GNS (geniusid@protonmail.ch), .felix (felix@countermail.com), .null (nullcipher@cock.li), .prnds (prndssdnrp@mail.fr), .bmtf (dfgkbtprz@aol.com), .gyga (gygabot@cock.li), .NHLP (newhelper@protonmail.ch), .HOW (how_decrypt@aol.com), .lxhlp (lxhlp@protonmail.com), .bad (ucos2@elude.in, .r3f5s (r3ad4@aol.com, .HCK (cavefat@tuta.io), .hack (mr.hackpr0@aol.com), .pgp (openpgp@foxmail.com), .dr (dr.decrypt@aol.com), .hlpp (hlpp@protonmail.ch), .club (admin@stelsdatas.com), .wch (wecanhelpu@tuta.io), .FRM (hitsbtc@tuta.io), .ONE (onepconebtc@protonmail.com), .BOMBO (Bit_decrypt@protonmail.com), .space (Mail@qbmail.biz), .BANG (gangflsbang@protonmail.ch), .PHP (decspeed@tutanota.com), .0day0 (day_0@aol.com), .love$ (im.online@aol.com), .dec (de_cryption@tuta.io), .2020 (btckeys@aol.com), .C-VIR (coronavirus@foxmail.com), .LX (help.crypt@aol.com), .IPM (Decoding@qbmail.biz), .Mark (mark_white@mail.ua), .GTF (grandtheftfiles@aol.com), .rxx (back_data@foxmail.com), .PLEX (dryidik@tutanota.com), .NcOv (ncov2020@aol.com), .PAY (decrypt@qbmail.biz), .self (black@gytmail.com), .ncov (coronavirus@qq.com), .Z9 (help.me24@protonmail.com), .LIVE (cryptlive@aol.com), .WHY (mr.crypteur@protonmail.com), .asd (asdbtc@aol.com), .ROGER (backdata.company@aol.com), .SySS (syspentest@aol.com), .ninja (ninja777@cock.li), .kr (blablacar@airmail.cc), .rsa (rsacrypt@aol.com), .VIRUS (amandacerny89@aol.com), .asus (databack@qbmail.biz), .xda (fullrestore@qq.com), one (back_me@foxmail.com), .wiki (bitlocker@foxmail.com), .bot (nmode@tutanota.com), .oo7 (b1tc01n@aol.com), .KRAB (Blackmax@tutanota.com), .harma (ban.out@foxmail.com), data (data@recovery.sx), .smpl (crimecrypt@aol.com), .HAT (Zagrec@protonmail.com), .LOG (Logan8833@aol.com), .xati (xatixxatix@mail.fr), .GET (getscoin2@protonmail.com), .blm (blacklivesmatter@qq.com), .zphs (zphc@cock.li), .lina (linajamser@aol.com), .arrow (biashabtc@redchan.it), .flyu (yourfiles1@tutanota.com), .fresh (freshkart@420blaze.it), .dme (decrypttme@airmail.cc), .DC (dc1@imap.cc, dc2@imap.cc), .deeep (JimThompson@ctemplar.com), .ver (quacksalver@onionmail.org, quacksalver@msgsafe.io), .nmc (nomanscrypt@tuta.io, nomanscrypt@onionmail.org), .c0v (c0v1d19@job4u.com, cov191d@job4u.com), .TOR (todecrypt@disroot.org, todecrypt@onionmail.org), .ZEUS (Zeus1@msgsafe.io, Zeus@zimbabwe.su), .CLEAN (clean@onionmail.org, clean@privyinternet.com), .PARTY (partydog@msgsafe.io, partydog@onionmail.org), .cnc (cryptoncrypt@tuta.io, cryptoncrypt@onionmail.com), .rdp(rdphack@onionmail.org, freelurk@aol.com), .root(getdecrypt@disroot.org, baron38@webmeetme.com), .eye (eye@onionmail.org, 1337@onionmail.org), .bdev(bad_dev@tuta.io, bad.dev@onionmail.org) .HPJ(hpjar@keemail.me, hpjar@protonmail.ch), .2122(2021@onionmail.org, 2022@onionmail.org), .ctpl (catapultacrypt@tuta.io, catapultacrypt@cock.li), .4o4 (godecrypt@onionmail.org, godecrypt@tfwno.gf), .bqd2 (badhach@aol.com, badhach2@aol.com), .liz (lizardcrypt@tuta.io, lizardcrypt@protonmail.com), .pirat (brokendig@zimbabwe.su), .LAO (filerecovery@zimbabwe.su), .duk (dokulus@tutanota.com, dokulus2@firemail.cc), .eofyd (filerecovery@zimbabwe.su), .biden (biden@cock.li, biden@tuta.io), .ROG (embog@firemail.cc, attuneabbot@goat.si), .jessy (jessymail26@aol.com, jessymail26@tuta.io), .urs (necurs@aol.com, necgusi@aol.com), .ORAL (oral@tuta.io, oral@msgsafe.io), .clman (coleman2021@aol.com, coleman2021@airmail.cc), .four (lizardcrypt@msgsafe.io, lizardcrypt@tuta.io), .pauq (carbanak@aol.com, buhtrap@aol.com), .LOTUS (paymei@cock.li, paymei@tuta.io, paymei2@msgsafe.io), .word (vm1iqzi@aol.com, twovm1iqzi@aol.com), .text (helpdecrypt@msgsafe.io), .con30 (con3003@msgsafe.io), .wcg (btc11@gmx.com, sorysorysory@cock.li), .TomLe (TomLee240@aol.com, TomLee24@tuta.io), .22btc (22btc@tuta.io, 21btc@cock.li), .crypt (decrypt@msgsafe.io, decrypt@zimbabwe.su, wannacry@msgsafe.io, wannacry@mailbox.org, mail@zimbabwe.su, keydecrypt@cock.li), .Avaad (Avaaddams@msgsafe.io, Freaker@msgsafe.io), .dis (decrypt@disroot.org, decrypt@disroot.org), .14x (axitrun@cock.li, axitrun@tutanota.com), .aol (astra2eneca@aol.com, bluekeep@aol.com), .hub (crypthub@tuta.io, crypthub@cock.li), .4help (hlper4y@tutanota.com, hlper4y@cock.li), .gac (getacrypt@tuta.io, getacrypt@airmail.cc), .21btc (21btc@cock.li, 21btc@tuta.io), .DT (datos@onionmail.org, datos@msgsafe.io), .dance (cryptodancer@onionmail.org, cryptodancer@msgsafe.io), .C1024 (code1024@keemail.me) and many others. If you have been infected with one of the listed variants, we recommend that you remove Dharma ransomware virus without a delay. To clean all remaining malicious components of the ransomware, consider using a robust solution like INTEGO Antivirus. It scores excellent ratings in independent AV Test labs and provides real-time protection for your computer. Additionally, downloading RESTORO for virus damage on Windows OS files repair can be a good option.
Threat Summary
REPAIR VIRUS DAMAGE
DHARMA ransomware modus operandi overview (encryption explained)
In case the ransomware attacks through RDP ports, it uninstalls available antivirus software from the PC first. Once launched on the target system, Dharma/Crysis ransomware roots into the system by creating registry values. The virus the uses RC4 encryption algorithm (using RC4 key size of 128 bytes) to decrypt strings with the names of its functions. Once decrypted, the virus gets access to addresses of imported functions at the time of runtime linking. The virus also decrypts strings required for malicious code execution. The malware places its executable to Windows %System% folder and assigns it to run automatically during the system boot. Next, the ransomware ensures that only one instance of it can run at the same time. It also disables several database services on the target system, and, if found active, stops various database-related processes, such as mysqld.exe or outlook.exe. The ransomware then runs Command Prompt and deletes Volume Shadow Copies from the system using vssadmin delete shadows / all / quiet command. This prevents the victim from using existing System Restore Points. The ransomware uses four threats to encrypt all files on the compromised system. It also attempts to detect connected network resources and encrypt files on them. Then it begins encrypting victim’s files with an asymmetric encryption using AES-256 in CBC mode and then secures the AES key with a master public RSA-1024 key. The virus’ algorithm is set to encrypt almost all file types, excluding files essential for operating system to function and also files associated with the ransomware itself (such as ransom notes and info.hta file). You can see a screenshot of files encrypted with a variant of this ransomware down below. The only possible data restoration opportunity is restoring from data backups stored on physically detached storage devices. Unfortunately, not many computer users tend to create these on a regular basis. Once the encryption is complete, CrySis virus sends some data about the victim to its Command&Control server. Such data includes victim’s PC name along with examples of different file formats from encrypted device. The ransomware also drops ransom-demanding notes in every scanned folder. These notes may be named info.txt, FILES ENCRYPTED or MANUAL.txt. See a screenshot of info.txt file (dropped by C1024 ransomware variant) below. An example of FILES ENCRYPTED.txt ransom note (left by FRESH ransomware variant) is presented below. You can also see example of ransom note called MANUAL.txt (dropped by NOV ransomware variant) down below. Some examples of info.hta note design displayed by different Dharma/CrySiS ransomware versions: REPAIR VIRUS DAMAGE
Amount of money demanded to unlock data
Once Dharma virus successfully encrypts all valuable information on the targeted system, it drops a ransom message for the victim. The note contains two email addresses (different for each version). The malware operators are known to demand 1 Bitcoin per infected computer, although bigger companies often have to may much more for data decryption on all network computers. However, cyber security experts often do not recommend paying the ransom because Dharma developers are not the most trustworthy ones when it comes to fulfilling their part of agreement after the victim pays the ransom. In some cases, they failed to provide decryption tools even after receiving the payment. Therefore, we do not recommend paying the ransom due to this reason and also because paying up means supporting such ransomware business model. Speaking of free data decryption, current variants can’t be decrypted using any third-party tools. However, older variants can be decrypted using free decryption tools such as Rakhni Decryptor by Kaspersky Lab (usage guide) or Trend Micro Ransomware Decryptor (usage guidelines).
CrySis ransomware spread sources
Almost all variants of the Dharma virus aka CrySIS ransomware are distributed via malicious spam email campaigns. The traditional infection cycle goes like this – the victim receives a deceptive email that contains attachments with double extensions. Once downloaded and opened, the malicious attachment drops the file-encrypting payload on the computer system. The ransomware travels in various forms. For example, it can arrive disguised as a legitimate program, such as antivirus or another application. The main infection vector remains Remote Desktop Protocol data that is weak enough to be hacked or simply leaked online. The ransomware can be installed by a human attacker by using brute-force attacks on 3389 port. This method is also used in Nemty and Phobos ransomware attacks.
Attackers use an imitation of ESET AV Remover to distribute .ETH file extension virus
Security researchers have spotted a slightly different distribution technique to spread Dharma’s .ETH virus variant. Cybercriminals created malicious spam e-mails that resemble Microsoft corporation’s warnings stating that victims’ computers are infected and they must download a malware removal tool immediately. They use ESET AV Remover as a disguise to infiltrate ransomware. The link incorporated in the email downloads a password-protected Defender.exe archive that can be extracted by entering the password indicated in the email. It drops two files — Defender_nt32_enu.exe and taskhost.exe. One is an outdated ESET antivirus installer and another is used to automatically start data encryption without computer user’s consent. The self-running ransomware executable is placed in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ directory. Furthermore, crooks try to disguise the file-encrypting virus executable by drawing attention to the other files. Both Defender.exe and Defender_nt32_enu.exe have a legitimate Windows Defender’s logo even though one is an archive and another is an installer. Keep in mind that the ESET AV Remover installer is legitimate and does not harm your computer. Yet, all the malicious work is done by the taskhost.exe file that is responsible for the encryption process.
Dharma ransomware removal and decryption process explained
Dharma ransomware removal should be completed using a strong security solution. The victim, however, should first start the computer in Safe Mode, which is a safe environment used to remove all kinds of malware from the system. One of the best antivirus solutions to remove such kind of malware is INTEGO Antivirus. You can read its review here. Additionally, we strongly recommend downloading RESTORO for virus damage repair on the system. Once you remove Dharma ransomware completely, you can connect your data backup to the computer and transfer files from your data backup to your computer. As mentioned earlier, victims who do not have data backups have no chances to recover data encrypted by this malicious virus. ADDITIONAL TIP. Victims of ransomware often tend to do mistakes out of frustration. Data recovery companies cannot restore data encrypted by Dharma ransomware. Be careful of scammer companies that simply pay the cybercriminals on your behalf, too. OUR GEEKS RECOMMEND Our team recommends a two-step rescue plan to remove ransomware and other remaining malware from your computer, plus repair caused virus damage to the system: GeeksAdvice.com editors select recommended products based on their effectiveness. We may earn a commission from affiliate links, at no additional cost to you. Learn more. Get INTEGO ANTIVIRUS for Windows to remove ransomware, Trojans, adware and other spyware and malware variants and protect your PC and network drives 24/7. This VB100-certified security software uses state-of-art technology to provide protection against ransomware, Zero-Day attacks and advanced threats, Intego Web Shield blocks dangerous websites, phishing attacks, malicious downloads and installation of potentially unwanted programs. Use INTEGO Antivirus to remove detected threats from your computer. Read full review here. RESTORO provides a free scan that helps to identify hardware, security and stability issues and presents a comprehensive report which can help you to locate and fix detected issues manually. It is a great PC repair software to use after you remove malware with professional antivirus. The full version of software will fix detected issues and repair virus damage caused to your Windows OS files automatically. RESTORO uses AVIRA scanning engine to detect existing spyware and malware. If any are found, the software will eliminate them. Read full review here.
Alternative software recommendations
Malwarebytes Anti-Malware
Method 1. Enter Safe Mode with Networking
Before you try to remove the virus, you must start your computer in Safe Mode with Networking. Below, we provide the easiest ways to boot PC in the said mode, but you can find additional ones in this in-depth tutorial on our website – How to Start Windows in Safe Mode. Also, see a video tutorial on how to do it: Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10 users Now, you can search for and remove DHARMA Ransomware Virus files. It is very hard to identify files and registry keys that belong to the ransomware virus, Besides, malware creators tend to rename and change them repeatedly. Therefore, the easiest way to uninstall such type of a computer virus is to use a reliable malware removal program. In addition, we suggest trying a combination of INTEGO Antivirus (removes malware and protects your PC in real-time) and RESTORO (repairs virus damage to Windows OS files).
Method 2. Use System Restore
In order to use System Restore, you must have a system restore point, created either manually or automatically. Instructions for Windows XP/Vista/7 users Instructions for Windows 8/8.1/10 users After restoring the system, we recommend scanning the system with antivirus or anti-malware software. In most cases, there won’t be any malware remains, but it never hurts to double-check. In addition, we highly recommend checking ransomware prevention guidelines provided by our experts in order to protect your PC against similar viruses in the future. Removing spyware and malware is one step towards cybersecurity. To protect yourself against ever-evolving threats, we strongly recommend purchasing a Premium version of Malwarebytes Anti-Malware, which provides security based on artificial intelligence and machine learning. Includes ransomware protection. See pricing options and protect yourself now.
System Mechanic Ultimate Defense If you’re looking for an all-in-one system maintenance suite that has 7 core components providing powerful real-time protection, on-demand malware removal, system optimization, data recovery, password manager, online privacy protection and secure driver wiping technology. Therefore, due to its wide-range of capabilities, System Mechanic Ultimate Defense deserves Geek’s Advice approval. Get it now for 50% off. You may also be interested in its full review.
Disclaimer. This site includes affiliate links. We may earn a small commission by recommending certain products, at no additional cost for you. We only choose quality software and services to recommend.