Dharma Ransomware - How To Remove?
Dharma ransomware was reported to be infecting workstations two days ago, on the 16th of November, 2016. It has been reported to infecting single as well as network computers. On an interesting note, sometimes the virus leaves some of the network computers untouched. In addition to this, this queer ransomware may not leave the ransom note – the important message, which tells the victim’s what has happened and gives directions on what to do. Dharma crypto-locker is thought to be a new variant of CrySiS ransomware, according to some hex patterns at he footer of the files.
Some Technicalities Regarding Dharma Ransomware
It is still more questions than answers as concerns this new file-encrypting treat under the name of Dharma. The pattern it employs to encrypt data targets only the C drive. This new encrypting malware appends the .[email@example.com].dharma or .[firstname.lastname@example.org].dharma extension to each name of the encrypted file, depending which is the specific contact e-mail. In the first case, the original Document.doc will be given the name of Document.[email@example.com].dharma, in the second case scenario the encrypted Document.doc file will have the name of Document.[firstname.lastname@example.org].dharma. The definite list of the aimed at data files has not been presented yet.
Interestingly enough, Dharma data-targeting virus does not replace the victim’s desktop background with any kind of wallpaper containing the ransom note. Though, some of the versions of this ransomware virus, actually, have the ransom note, which is contained into the README.txt file placed in the Startup folder. The text of the note is the following:
At the moment, your system is not protected.
We can fix it and restore files.
To restore the system write to this address:
Upon every re-boot of the infected PC, Dharma crypto virus will encrypt every new file stored in the C disk. Skanda.exe, plink.exe, in the folder named as opFirlma, and worm.exe are the names of the executable files detected to have the payload of the malware embedded in.
In What Way the Rapid Expansion of Dharma Ransomware is Carried Out?
The specific method Dharma file locker infects the PCs has not been introduced yet. Thus, it is considered that this crypto virus spreads in the usual manner ransomware viruses are spread. This refers to the sending of infected spam e-mails pretending to contain the important information regarding taxes, fines, parcels, etc. They can even contain special marks of some official institutions and/or companies. In addition to this, Dharma encrypting virus can get installed on the victim’s computer along some free downloads, DLL (Dynamic Link Library) hijacking, exploit attacks, etc.
Recommendations for Removing Dharma Ransomware
Dharma trojan is recommended to be removed with professional tools. We have the antivirus programs in mind. Our recommendation would be running such applications as Reimage, Spyhunter or Malwarebytes to have the ransomware removed as well as the whole of the computer’s system cleaned. Additionally, at the end of the article you will find the manual removal instructions, which can also help you to remove Dharma ransomware trojan from your PC.
Recommendations for Restoring Data
The Kaspersky decryptor RakhniDecrypter for CrySiS does not work in the case of Dharma. Even if you have changed the extension with that of the Dharma’s, you will get an error, indicating unsupported file type. Accordingly, you are left with the following options for retrieving your spoiled files. Your next move, after the imaging of the infected C drive and the removal of the ransomware, is to use your backup or run the ShadowExplorer to find out whether the Shadow Copies were deleted or not. If both of the backup choices do not fit your particular case, use data recovery software such as Recuva, data restoration software by Kaspersky Lab, etc.
Update of the 18th of December, 2016. Dharma ransomware started using email@example.com e-mail for contact.
Update of the 29th of December, 2016. Dharma crypto-malware started using the Info.hta ransom note:
Update of the 2nd of March, 2017. It appears that an unknown source has posted a number of possible decryption keys that could help Dharma ransomware victims restore their ruined files. This link transfers people to the published codes and Kaspersky is currently working to find out whether these keys are legitimate. If they are, then security researchers will be able to create an appropriate tool to recover all lost data.
Update of the 3rd of March, 2017. Just as we predicted yesterday, Kaspersky did manage to create a free tool for decryption. You can click here and the download of this tool will immediately begin. A short tutorial how to restore your files:
1. Run the RakhniDecryptor.
2. Click “START SCAN” and select a .word, image or pdf file that has been encrypted by Dharma ransomware.
3. Press “OPEN”.
4. Now, the decrypter should start a scan for the encrypted files.
6. Once the scan and file-recovery is concluded, you can close RakhniDecryptor and enjoy your files once again!
The note provides with a different contact e-mail: firstname.lastname@example.org.
- Some Technicalities Regarding Dharma Ransomware
- In What Way the Rapid Expansion of Dharma Ransomware is Carried Out?
- Recommendations for Removing Dharma Ransomware
- Recommendations for Restoring Data
- Automatic Dharma Ransomware removal tools
- How to recover Dharma Ransomware encrypted files and remove the virus
- Step 1. Restore system into last known good state using system restore
- Step 2. Complete removal of Dharma Ransomware
- Step 3. Restore Dharma Ransomware affected files using Shadow Volume Copies
- Step 4. Use Data Recovery programs to recover Dharma Ransomware encrypted files
- Removal guides in other languages
Automatic Dharma Ransomware removal tools
How to recover Dharma Ransomware encrypted files and remove the virus
Step 1. Restore system into last known good state using system restore
1. Reboot your computer to Safe Mode with Command Prompt:
for Windows 7 / Vista/ XP
- Start → Shutdown → Restart → OK.
- Press F8 key repeatedly until Advanced Boot Options window appears.
- Choose Safe Mode with Command Prompt.
for Windows 8 / 10
- Press Power at Windows login screen. Then press and hold Shift key and click Restart.
- Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
- When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.
2.Restore System files and settings.
- When Command Prompt mode loads, enter cd restore and press Enter.
- Then enter rstrui.exe and press Enter again.
- Click “Next” in the windows that appeared.
- Select one of the Restore Points that are available before Dharma Ransomware has infiltrated to your system and then click “Next”.
- To start System restore click “Yes”.
Step 2. Complete removal of Dharma Ransomware
After restoring your system, it is recommended to scan your computer with an anti-malware program, like Reimage and remove all malicious files related to Dharma Ransomware. You can check other tools here.
Step 3. Restore Dharma Ransomware affected files using Shadow Volume Copies
If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Dharma Ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so.
Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer.a) Native Windows Previous Versions
Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
b) Shadow Explorer
It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Step 4. Use Data Recovery programs to recover Dharma Ransomware encrypted files
There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
- We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
- Download Data Recovery Pro (commercial)
- Install and scan for recently deleted files.
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.