Dharma Ransomware: What Is It & How to Remove It?

Michelle Wilson - February 22, 2022

Criminals created ransomware to encrypt files on a device, making any files and the systems that rely on them completely unusable. After the attack, the cybercriminal then requests ransom for the decryption key. Attackers will use ransomware to threaten to reveal or sell exfiltrated information or authentication credentials, particularly if the victims fail to pay the ransom. These hacking attempts continue to evolve, making them exceptionally difficult for victims.

Throughout the last few years, ransomware attacks have continued to increase significantly. Unfortunately, these attacks show no signs of letting up or stopping anytime soon.

Malicious actors continuously improve ransomware strategies, pressuring victims to pay the ransom or face the reality of confidential information becoming public. These attacks involve lateral movement within data, spreading ransomware across entire networks through vulnerabilities within the network. Cybercriminals remove system backups, making outside repair and recovery efforts infeasible.

What is Dharma Ransomware?

Dharma ransomware is commonly called CrySis. It’s a “trojanized” malware that functions as high-risk ransomware. This virus targets Windows operating systems, extorting home computers, small businesses, and medium organizations. This type of ransomware often targets directories inside a user’s directory on Windows. When a file is included in the directory, the ransomware encrypts the file, adding the suffix .dharma to the end.

Unlike other ransomware, Dharma doesn’t attack the whole computer. It conceals within the system and encrypts files anytime they’re added to the directory. In order to decrypt the files, it needs removal.

Most Dharma ransomware is scattered globally via email campaigns. Emails claiming to be genuine and authentic request the user download a password-protected attachment named Defender.exe.

Understanding the Dharma Ransomware Operation

Summed up, Dharma is a self-extracting archive that delivers a malicious file called taskhost.exe together with an old version of ESET AV Remover. The ESET AV Remover installer automatically begins when the extraction finishes, making the user believe the operation is genuine. This tactic is a distraction from the Dharma ransomware encrypting files in the background. The final file extension varies, with approximately thirty different options.

Dharma ransomware doesn’t modify the desktop background, but it will generate a text file “README.txt” within each folder that includes affected files. Once the ransomware successfully encrypts all valuable data, it drops a ransom message for the victim. This email contains two email addresses the victim can use to contact the criminals and make the requested payment.

How Dharma Ransomware Works

Dharma encrypts the files on a victim’s network using asymmetric algorithms, establishing public and private decryption keys in the process. Malicious actors keep the private key on a remote server controlled by the developers.  

The victims cannot decrypt files without the key, subjecting them to pay a ransom. Currently, infected files cannot be manually restored as there are no tools available for this action. The only known solution is for those affected to restore the files/system from a backup.

Costs Associated with Dharma Attacks

Although the promise of decryption is luring, paying the ransom is never recommended. Most malicious actors aren’t reliable when it comes to fulfilling their part of the deal when the payment is received. Most malware operators demand one bitcoin per infected computer to lift the encryption. Larger organizations frequently must produce a more significant ransom.

Methods of Distribution

Dharma ransomware distributes through spam email as malicious attachments. The malicious attachments use double file extensions, a well-known feature of this ransomware family. Under default Windows settings, these attachments may seem non-executable when they are. The Dharma ransomware is occasionally concealed in installation files for authentic software. Malicious actors will suggest installers that seem genuine and inoffensive for various authorized applications.

Ransomware can be installed manually by a human criminal using brute-force cyber assaults on 3389 port. The primary infection vector remains Remote Desktop Protocol (RDP) data. This data is frail enough to be published online and victims of hacking.

Staying Safe from Dharma Ransomware

The newest version of Dharma (CrySis) ransomware doesn’t have decryption tools available. This lack of decryption tools means victims will be unable to recover their files by paying the ransom. In these situations, prevention beats the cure.

To help ensure your safety online, follow these anti-ransomware security methods:

1. Always backup data in multiple locations outside of the hard drive. Ensure all essential documents are kept on an external hard drive or in the cloud.
2. Be sure to upgrade all software to the latest versions. Malware and ransomware target outdated programs and applications.
3. Make sure all passwords are secure and robust. Dharma can use brute-force attacks to gain access and execute the malicious file. Secure passwords can prevent this access point. This security method includes personal or professional accounts.
4. Never open spam emails or download attachments, files, or links from unknown sources. Always make sure any emails you receive are from real accounts instead of phishing attempts.
5. Consider using multiple security layers to protect from common ransomware strains. Antivirus is effective as an initial method of protection. Additionally, look for anti-malware security options with behavioral analysis. Also, ensure that all internet browsers have an adblocker in place.
6. Education is an essential component of online safety. As new types of malware continue to form, understanding the latest in security solutions is paramount to online safety. Education includes cybersecurity fields and cybercriminal activity.
7. Should your device become infected with ransomware (whether Dharma or other files), always back up encrypted files to a separate device before attempting any decryption efforts. This way, should a ransomware decryption tool become available in the future, you can eventually restore your files through the accessible key instead of paying criminals unsuccessfully.
8. Never pay the ransom. All financial payments contribute to online cybercrimes and the criminal organizations that run them. On top of that, there is virtually no guarantee paying the ransom will unlock the files, especially with newer versions without decryption keys. Victims often pay the funds expecting access, but criminals take the funds and disappear.

Ransomware is a Problem for Everyone

Unfortunately, ransomware can pose significant problems for individuals and businesses alike. Ensuring you have proper and trustworthy anti-ransomware software on your computer can keep your system out of harm’s way. For most malware, protection and prevention are far more straightforward than resolving encryption of critical files. Making sure your operating system is current and up-to-date removes vulnerabilities and access points. Finally, you should keep up browser-related components like Adobe and Java to date to prevent vulnerabilities online.

Avoid installing additional toolbars or add-ons to stop adware attacks when browsing online. These toolbars can increase the potential for malware infections and leave your network vulnerable to attack. Regularly monitor your account for any phishing attempts or malicious attachments. Never open or download an attachment from a sender you don’t recognize. Try to back up all files to an external source as a backup in an attack.