Dharma Ransomware: Another Ransomware Returns From Oblivion

Dharma Ransomware

Dharma Ransomware! This particular ransomware had got lost in oblivion thanks to the release of Dharma decryption keys that were made available online. Upon its original release, experts pointed out that it resembled the CrySiS ransomware. But, the similarities soon met a natural death.

It is now back with a new variant. The older variant of Dharma Ransomware used to append the .dharma extension. Now, with technological advancement, and increase in means of exposure for spotting a malicious extension, it has changed its tactics. Hence, the latest version has changed itself in to using .arrow extension amongst others.

How Does It Work?

Following the same path as all the other ransomware, Dharma too leeches on to a PC and steady feeds of its data by converting it into encrypted files. It uses phishing techniques to infect the systems. Mass spam campaigns are executed in which the user clicks open a malicious attachment. It is how it enters the system in the first place.

How Can One Protect Their Data From Getting Infected?

A few things to keep in mind to protect one’s data is:

1. In the case of receiving any email in your inbox, from an unknown source, do not access the attachment included.

2. Any attachment received from an unknown source needs to be deleted immediately. Otherwise, in the case of Dharma Ransomware, it sneaks malicious payload with fake advertising pop ups. They can range from lottery wins to even winning fake plane tickets. Do not open them.

Once you are alert in term of its entry points, one can keep an eye out for the infection vectors that are mainly used by the Dharma Ransomware.

Must Read :  5 Best Ransomware Protection Tools For Windows

What Happens Once The Data Has Been Encrypted?

In the previous version of Dharma Ransomware, there are no visual changes on the infected PC. In the current version, there are no changes on the desktop’s background or any additional pop ups. A text file (“README.txt” or “Document.txt.[amagnus@india.com].zzzzz”) is created in each and every folder that contains the compromised files.

Within that document, is a rather short message that states that the computer is unprotected. Additionally, it claims that, developers have a solution to this problem and can restore the encrypted files.

To free their PC of the malicious ransomware, the victims must contact Dharma’s developers via an email address provided (bitcoin143@india.com). A sample of the same has been attached below.

malicious ransomware

One version of this ransomware has an appending email address (email@india.com). This address is used to nudge the victim into contacting the hackers to reclaim encrypted files. which victims are encouraged to write to in order to receive ransom instructions.

The amount that is demanded by the hackers is in Bitcoin and ranges from $5000 to $ 10,000.

Also Read : 10 Best Anti-Malware Software for Windows

What Extensions Is It Currently Using?

Some of the extensions that are used by the current version of Dharma Ransomware for the purpose of marking encrypted files amongst others are:

  • .cesar
  • .onion
  • .zzzzz
  • .arena

These extensions are not restricted to emails. They can enter one’s PC either through visiting unsafe sites on the dark web or by accessing third party links redirected via social media platforms. The only thing one can do in such scenarios is maintain constant vigilance while surfing the big wide web.

The Verdict:

This form of ransomware may not seem overtly harmful but, if not removed or tackled, they can become hosting portals for other malicious viruses. If one wants to avoid such an eventuality, it is very important that one filters the setting of your accounts so that the virus can be stopped before it spreads further.