FANDOM


Harma is a ransomware which focuses on locking all personal files on the host machine and then demands ransom payment for the decryption tool. The encryption procedure is typically performed with the help of AES, DES or RSA ciphers, considering the virus hails from a relatively old but one of the most prevalent ransomware families – Dharma.

Payload

Transmission

Harma is spread by Spam emails, web injects, fake updates, cracks, pirated software, and exploits.

Infection

As soon as data is locked, victims can soon notice the [WSS911@tutanota.com].harma extension appended to each of the photo, music, video, database, document, and other files. Nevertheless, malware skips system and executables, as destroying the system is not hackers' goal but rather to extort money (at least not in this case, although wiper-type ransomware does exist).

After locking all personal files, Harma virus launches a ransom note – a pop-up window that displays the message from hackers. Additionally, a text file RETURN FILES.txt is also dropped, which is essentially a short version of the note. Threat actors explain that victims have to contact them via WSS911@tutanota.com or bigbro1@cock.li email addresses and pay a ransom using Bitcoin cryptocurrency. Additionally, crooks also threaten to delete the key after seven days if no contact is established.

Once inside the system, Harma ransomware deletes Shadow Volume snapshots with the help of specific command launched by the virus. Additionally, it also modifies Windows registry to gain persistence and run the malicious tasks at all times.

After file encryption, Harma ransomware drops the following ransom note:

All FILES ENCRYPTED “RSA1024”

All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE 
E-MAIL WSS911@tutanota.com
IN THE LETTER WRITE YOUR ID, YOUR ID
IF YOU ARE NOT ANSWERED, WRITE TO EMAIL: bigbro1@cock.li
YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE 
OVERWRITTEN BY OTHER KEYS, DON’T PULL TIME, WAITING YOUR EMAIL

FREE DECRYPTION FOR PROOF
You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), 
and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

DECRYPTION PROCESS:
When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we 
receive the money we will send you:
1. Decryption program.
2. Detailed instruction for decryption.
3. And individual keys for decrypting your files.

!WARNING!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or 
you can become a victim of a scam.
Community content is available under CC-BY-SA unless otherwise noted.