FANDOM


Dharma is a crypto-virus that first struck the world in 2016, and is releasing new versions regularly in 2019 still. Spring of 2019 came with a handful of new versions. The latter variants which appeared in 2019 have started appending encoded data with .ETH;  .stun, .Btc, .azero, .best, and .frend file extensions.

Dharma remains active as ransomware that targets various companies and organizations all over the world. At the end of March 2019, malware hit a system of the parking garage in Canada.

Payload

Transmission

Dharma is transmitted through malicious email spam and brute-forcing unprotected RDP connections.

Infection

The malware uses AES encryption algorithm to encrypt data and drops a ransom note to each of the affected folders – Info.hta or FILES ENCRYPTED.txt – asking to contact developers via provided email address and pay for the alleged decryption. 

The latest versions of ransomware leave a simple ransom note on the infected computer that reads:

ATTENTION!
At the moment, your system is not protected.
We can fix it and restore files.
To restore the system write to this address:
bitcoin143@india.com

Victims have also reported about seeing this ransom note: 

hallo, our dear friend!
looks like you have some troubles with your security
all your files are now encrypted
using third-party recovering software will corrupt your data
you have only one way to get them back safety – using our decryption tool
to get original decryption tool contact us with email is subject like write your ID which your can find
in name of every encrypted file, also attach to email 3 crypted files.
lavandos@dr.com
It is your interest to respond as soon as possible to ensure the restoration of your files because we won’t keep your decryption keys at our servers more than 72 hours in interest of our security
PS. only in case you don’t receive a response from the first email address within 24 hours, please use this alternative email address lavandos@india.com

Dharma now uses ESET AV Remover installations as a "smoke screen" technique designed to distract victims while their files are encrypted in the background as detailed by Trend Micro.

Variants

Oron@india.com:This variant is named as the file extension it uses. Just like any other dangerous ransomware-type infection, it aims to encrypt important files on the targeted computer to gain illegal profits. 

The easiest way to recognize Oron@india.com ransomware virus is to check the file extension — documents encoded by this version are appended with [oron@india.com].dharma extension. It consists of two sections: an actual extension and the email address. Indication of the email is an attempt to urge the user into contacting the crooks for the decryption tool.

Zzzzz: It is another virus version that shares its extensions with the infamous Locky virus. It still encrypts files making them inaccessible to the victims and demands payment for the access key.

Wallet: Wallet is the latest Dharma version which appends .wallet extensions to the encrypted files. Ransomware victims are also urged to contact criminals via given email address (amagnus@india.com) and gives not specific details upfront. The virus makes sure the victims are acquainted with the data recovery conditions by replacing the infected computer's desktop with an image of a ransom note.

Extortionists set a 72-hour limit to pay the ransom and claim that if victims fail to pay in time, the decryption key will be destroyed and they will lose access to their files forever. 

Onion: The virus spreads via malicious email attachments, and once the victim clicks on an infected attachment, malware sneaks inside the system. On the affected device, ransomware starts a system scan and looks for the targeted file types. For data encryption, it uses a sophisticated algorithm that prevents users from accessing their files.

The ransomware appends the .onion file extension to the encoded documents, PDFs, video, audio, image files, databases, and other popular file types.

Cezar: The virus emerged in the middle of August 2017, and it is also known as Cesar ransomware virus. The virus is named after a file extension that it adds to encrypted files, respectively .cezar or .cesar. The virus suggests writing to btc2017@india.com for instructions on how to recover encrypted files, so it works as a typical Dharma version.

The aim of the virus is to force the victim to get in touch with cybercriminals and start negotiations regarding data recovery. The criminals will ask the user to pay an enormous ransom in Bitcoins and promise you to provide a decryption key afterward.

Arena: The virus was spotted by a security researcher Michael Gillespie on August 23rd, 2017. The new ransomware variants appends traditional extension – .id-[ID].[criminal's email address].arena. The virus then outputs some text in a FILES ENCRYPTED.txt file (known as ransom note).

The virus suggests contacting the criminals via sindragosa@bigmir.net email address, leaving no hints about the price of the decryption key.

Java file: It is believed that there are more than three versions of this Java ransomware spreading on the Internet, so be careful while searching the web. At the moment, security experts do not report about significant changes in virus source code, just mention to be careful with spam that spreads using the subject line “The Request Invoice.” 

Here is the message content:

Here is the Invoice you requested. Please make sure to print it, sign it and scan it to send it back to us.
Best Regards,
Tim Brooks
Sales Department

This version also inflicts quite significant damage to the system. It disables system recovery and deletes shadow volume copies.

Write file extension: The upgraded variant appends .write or [files.restore@aol.com].write extension after encrypting important data which is stored on the targeted system. At that point, the files become unusable and victims are encouraged to pay the ransom in exchange for a decryption tool. 

Once the victims receive the ransom-demanding message, they are urged to contact the criminals via files.restore@aol.com email address. 

Arrow: Ransomware researchers detected yet another altered version of the malware, which appends .id-.[].arrow file extension to encrypted files. Although it's not clear the sum of the ransom demanded, it's clear that extortionists can be contacted via GuardBTC@cock.li, Blammo@cock.li or Bitcoin888@cock.li emails. 

Bip: The virus deletes shadow volume copies in order to make data decryption nearly impossible unless the user have backups. Following the encryption procedure, .bip file virus drops two ransom notes in Info.hta and FILES ENCRYPTED.txt where victims of ransomware are asked to send an email to Beamsell@qq.comi to get data recovery instructions. 

.java2018@tuta io.arrow file extension: The variant emerged at the end of May 2018. It uses .[email].arrow file extension to the appended files. Immediately after the encryption, ransomware downloads a ransom note where victims are asked to contact crooks immediately. The faster they write, the less they need to pay, according to the ransom note. Crooks use two contact email addresses java2018@tuta.io or java2018@india.com.

Brr: On the second week of September 2018, Brrr ransomware came to light. Files encrypted with .[paydecryption@qq.com].brrr pattern and same two ransom note files as most of the previous versions. Ransom note contains paydecryption@qq.com contact email and an offer to decrypt one file that is smaller than 1Mb.

Gamma: Similar pattern as other versions with no certain ransom amount, offer to test decrypt and other features:

  • .id-%ID%.[bebenrowan@aol.com].gamma file extension;
  • ransom files called Info.hta and FILES ENCRYPTED.txt;
  • contact email bebenrowan@aol.com.

Bkp: This variant similarly to other ones delivers the same files for ransom notes with the names Info.hta and FILES ENCRYPTED.txt, adds new bkp@cock.li contact email to the mix.

Boost: This time, a virus encrypts data using the AES algorithm and marks those files using a specific pattern – .[boston.crypt@tuta.io].boost. As usual for this ransomware family, FILES ENCRYPTED.txt file with the ransom message gets delivered to folders that contain encoded documents, photos, and other files.

Waifu: the malware encodes users files and marks them with an appendix that ends with .waifu. Also, contact email darknes@420blaze.it included in this file marker. 

Vanss: This one is different from others because it uses the same email that previously known .bip and .combo was using back in May 2018. The email appears in typical ransom notes Info.hta and FILES ENCRYPTED.txt.

BTC: This variant came out in October, but this one has more features than other variants. First, BTC_DECRYPT_FILES.txt or IDR__BTC_DECRYPT_FILES.txt are the ransom note files that get delivered to the victim's screen after file-locking.

Then the particular ransom amount is revealed in one of these files that can differ from 0.5BTC to 1.5 Bitcoin for file recovery.

FUNNY: This variant came out at the end of October. This time, only the program window named as the contact email appears on the screen after encryption. The information stated on the window include instructions on how to buy Bitcoins and pay the demanded ransom.

When you write WildMouse@cock. or unlock24@cock.li and ask for the opportunity to decrypt files, the ransom amount should be revealed.

Xxxxx: This variant was only one of many versions that got released in that year. However, this version was the last discovered in the month of October. Not many new information got revealed with this version since it also not changed and resembles other 20+ variants.

Only features that make it different from previous Dharma versions:

  • file marker .id-id.[syndicateXXX@aol.com].xxxxx;
  • contact email syndicateXXX@aol.com.

Audit: Crooks still give 24 hours for victims to reach them via contact email payransom@qq.com. This information alongside the victims' ID and places where the user can buy cryptocurrency is delivered with the program window named with the particular contact email.

Tron: One of the distinct features belonging to this version of Dharma is the particular – 0.05BTC ransom amount. The sample that got analyzed revealed this information, but the amount still can differ from victim to victim.

Adobe: One of the more unique versions in this family is Adobe ransomware. Malware researchers reported about this particular version more than a few times throughout the years. November and December revealed a few different attacks from this one, at the same time this .adobe file extension was associated with more than one virus family. Djvu ransomware virus also uses this file marker.

Possible contact emails for the particular Dharma version:

  • parambingobam@cock.li,
  • bufytufylala@tuta.io,
  • youneedfiles@india.com,
  • stopencrypt@qq.com,
  • btcdecripter@qq.com.

Santa: The ransom note that comes in a text file named FILES ENCRYPTED.txt reveals the contact email for the developers – Newsantaclaus@aol.com. A full file marker also includes this email. When documents or photos get encoded .id-XXXXXXXX.[Newsantaclaus@aol.com].santa shows up at the end of the original name.

Wallet virus: The year of 2019 started with a few new version to the same Adobe ransomware handful. However, Wallet virus was also one of the few different ransomware hailing from the same Dharma. This malware uses a mixture of AES and RSA encryption algorithms and marks files with either .wallet or .wallet.lock appendixes. 

The typical ransom note reveals the amount of ransom that goes from $500 to $1500 worth of cryptocurrency.

Heets: When the ransomware attack starts and files get locked full .id-[bestdecoding@cock.li].heets file marker gets added to the affected data. This way victims can know what malware affected their files. Then HTML window with further instructions appears and shows possible steps and contact emails – bestdecoding@cock.li; heetsdecoding@cock.li.

Qwex: The malware injects various files on the system besides FILES ENCRYPTED.txt ransom note or executable. This virus can change startup entries and add a program that disables the security features of the PC. 

ETH: People often report about this variant affecting their computers even a few months after the initial discovery. This variant puts .eth on the end of each file.

888: This variant hinted the name of the president of the USA in the contact email. .[donald888@mail.fr].888 is the full file marker that indicates encrypted files. A few other versions had a specific amount of ransom, this one also demands $500-$1500 in Bitcoin from its victims. 

Frend: Another version hinting to the USA that came out in the same week of February – Frend ransomware. Not many cryptovirus variants can be indicated as dangerous by AV engines. However, when anti-malware tool developers keep their databases up to date, users can eliminate threats like this by scanning the system fully.

KARLS: This particular threat employs AES-256 algorithm for file-locking process and makes data useless to have the reason for money extortion. When data gets .id-[random].karlosdecrypt@outlook.com.KARLS file marker it can be recovered with the official decryption tool or data recovery tool.

AYE:  Crysis/Dharma ransomware family ransom message gets delivered this time again. FILES ENCRYPTED.txt reveals only contact email and confirms the fact that your system got encrypted. This malware can disable some functions of the user's machine.

NWA: NWA came with a lengthy file extension that makes the user notice which files are encoded.

Unfortunately, ransomware can also alter other files on the system and changes preferences of the programs that run at the startup. It adds the executable explorer.exe with the payload but it also runs additional processes and disables system security programs to make the elimination more difficult.

Korea: This virus is one of the last ones that came out in March 2019. Korea employs the typical symmetrical AES encryption algorithm and makes users' data useless. All this effort for the purpose of crypto-extortion because users want to get their files back. 

Like most of the other versions, it adds a file extension to files that got affected in a pattern – .[omfg@420blaze.it].korea. Discovered almost at the same time as other variants, this threat automatically launched the HTML window with payment instructions and places where the user can buy Bitcoins which is the preferred cryptocurrency.

Stun: This variant was released on April fools. This variants pus .stun on the end of every file.

Community content is available under CC-BY-SA unless otherwise noted.