An unsolicited email address firstname.lastname@example.org is spreading a new ransomware infection that experts have called Dharma. When Dharma attacks, it encrypts the files found on victims computers and appends the file extension .dharma with a unique identifier so that users will no longer be able to open the files. Following the attack, the virus asks the owners of the affected system to pay so they can recover the encrypted files. If you are already a victim of Dharma virus, read further to see how you can get rid of Dharma. Just keep in mind that paying the ransom is not, by all means, a solution.
Dharma Ransomware – How Does It Replicate
Affected users have reported on various security forums about the attack of Dharma ransomware on their system. The scary thing is that the malware attack is not limited to home computers. Office networks are not spared either. The spread of the virus happens in various ways:
- Flash drive. The use of an infected flash drive used in the office environment triggers the virus.
- Self-executing worm. Once a system on office network is infected, a self-executing worm in a flash wakes up and multiplies the malware across the network.
- Spam emails with compromised attachments.
Dharma ransomware is suspected to be a variant obtained from an open source code or could be that it was bought from the black hat world. The malware spreads faster and in huge amount posing serious threats to computer users and organizations.
Even more severe is the fact that the virus can move unnoticed by the majority of antivirus software, which is likely that the malware employs advanced obfuscation to evade detection while replicating.
Dharma Ransomware Detailed Description
When a user gets on the virus location or opens its attachment, a copy of the malware executes automatically. Instantly, it starts injecting required commands in appropriate Windows processes such as svchost.exe and explorer.exe files. The virus may start by deleting any shadow volume copies or backups on the system; this happens by executing the vssadmin command in a hidden manner to evade being noticed.
When it succeeded in removing affected files history, the virus will likely add custom registry values with data in the Run and RunOnce 3Windows Registry subkeys. The data added is configured to execute the dharma ransomware programs and will start encrypting the following files:
- Adobe Reader, PDF
- VMware, Photoshop
- Microsoft Office files
After completion of the malicious encryption activities, the system explorer.exe goes into “Not Responding’ condition, the virus adds the email of the criminals and the dharma file extension to the affected files so that they cannot be open again.
How to Remove Dharma Ransomware
Removing Dharma ransomware is possible but restoring your files may not be. However, if you have been infected by Dharma or any other ransomware virus, make sure to remove the infection first by using a trustworthy anti-malware tool and only then try to recover some of your data. Sometimes experts manage to hack the particular ransomware infection and release a decryption key to the public that could successfully unlock the encrypted files. But if they never release such a key, paying the ransom is still the worst case scenario as this way you only foster cyber crime without a guarantee that you’ll receive the promised key.
Download Malware Removal Tool, to See If Your System Has Been Affected By Cerber 4.1.3 Ransomware