This article is about the ransomware. For the DOS virus, see Damage.

Damage is a ransomware that is believed to be from the Dharma/Crysis family.



The virus infections are initiated mainly through direct hack attempts. The Damage Ransomware attempts to intrude into the target servers by using RDP (Remote Desktop Protocol) attacks and exploiting various weaknesses in an automated way.

The RDP intrusions are done by using an IP scanner to analyze of the standard port 3389 is available and if there is a service open.

Other ways to distribute the malware include the following:

  • Email Spam Campaigns – The hackers use email spam messages to spread the viruses either in hyperlinks or directly attach them to the messages. In recent times the hackers use many different kinds of social engineering tactics.
  • Software Installers – Infected bundle installers are often used to spread dangerous viruses. They are often found on iliegal download sites and BitTorrent trackers.
  • Malicious Redirects – All sorts of browser hijackers and malicious redirects are used to deliver virus executables to the victims.


Upon infection the virus follows the usual infection algorithm by encrypting target user data and extorting the victims for a aransomware fee payment. The built-in encryption engine targets the most popular file extension types: documents, photos, music, configuration files, backup images and etc. All affected data receive the .damage extension.

The virus then crafts a ransomware note called “[user_pc_name].txt”. Its contents read the following message:

end of secret_key
To restore your files – send e-mail to
Community content is available under CC-BY-SA unless otherwise noted.