Dharma Ransomware (Analysis and Recovery Options)
This page details everything you need to know about Dharma ransomware. If you have been hit by Dharma ransomware and need help recovering your data, we're here to help.
Table of Contents
What is Dharma ransomware?
Dharma ransomware (also known as CrySiS) is a Ransomware-as-a-Service (RaaS) variant that primarily targets small businesses through unsecured RDP ports.
First detected in 2016, Dharma ransomware operates on a mass market, service-based mode of operation. While the first version of Dharma ceased operations sometime in 2017 and publicly released the decryption keys, the second version of Dharma is back with a vengeance.
Dharma ransomware is an example of the new wave of ransomware operators working under a syndicated business model.
Entry-level cyber criminals can pay to use the standard toolkit for the Dharma RaaS, deploying the attack themselves with the technical support from the Dharma RaaS providers. Other threat actors support the attackers by providing tools to assist with successful RDP exploits.
Dharma ransomware Indicators of Compromise (IoC)
There are several Dharma ransomware Indicators of Compromise (IoC) that signal the malware is present on a victim computer.
Dharma Encrypted Files
If your data is encrypted from Dharma ransomware, you will notice a different extension attached to each file.
The ransomware generally renames encrypted files per the diagram below.
You may notice that each system or file shares on your network have different ID’s. The threat actors may use the quantity of ID’s as part of determining the ransom cost.
Dharma Ransom Note
The common Dharma ransom note is a .TXT file which may be located in every folder on your infected computer/server or only on the desktop.
Here are some examples of previous Dharma ransom note names:
- FILES ENCRYPTED.txt
The Dharma ransom note provides the victim with instructions on what to do next if they want their files decrypted. Most Dharma ransom notes are very short and include 1 or 2 email addresses to contract the threat actor.
You may also find that the background of the infected system is different. This is called a ransomware splash screen. With Dharma, it is likely that there is a startup process to open the Info.hta file each time you restart the computer or server.
If you are looking to have your data recovered, it is important to not delete the Dharma ransomware note as this information will be used during the ransomware recovery process.
How to stop Dharma ransomware
You can stop Dharma ransomware from spreading by isolating the infected devices from the rest of your network. Disconnecting the device will help stop the ransomware from encrypting files on other devices.
Once devices are isolated, you can start scanning with antivirus software to remove the malware and any potential back doors that have been left behind.
How much Does Dharma ransomware recovery cost?
There are several factors that may influence the total cost of recovering files encrypted by the Dharma ransomware.
- Assessment fee
- Number of encrypted systems
- Selected priority of service
- Ransom demand amount
How much do Dharma ransom demands cost?
Our data from Q4 of 2020 concludes that the initial average Dharma ransomware demand is $42,900.
This ransom is lower than the average ransom demand partly due to Dharma’s target organizations’ size.
The graph below shows the comparison between the average initial ransom demand of Dharma ransomware and other common variants.
Proven Data is experienced in helping to negotiate for a lower ransom demand from Dharma operators. Based on our internal data, It is likely that the Dharma operators determine their ransom demands based on the size and type of the victim’s organization.
Knowing what to expect in ransomware recovery costs will help you make informed decisions when recovering your data.
How to decrypt Dharma ransomware
If your files are locked from Dharma ransomware, you’re trying to see what ransomware recovery options are available to decrypt your data.
Unlock Dharma encrypted files
The encryption algorithm for Dharma uses AES-256 combined with RSA-1024 asymmetric encryption, making it too strong to be broken. Additionally, there are currently no known flaws in the malware that can be utilized for data restoration efforts.
This leaves victims of Dharma with the only option of considering paying the ransom to obtain the decryption key and unlock their files.
Victims of Dharma who do not wish to pay the ransom can restore their data with a different method of ransomware recovery.
As with many ransomware variants, we may be able to assist with restoring certain file types without paying the ransom. To find out more information, you can reach out to a Proven Data representative.
Dharma Decrypter Instructions
The Dharma decrypter is more complicated to use compared to other ransomware decrypters, given that it requires additional steps to decrypt your files.
Here are the steps to run the Dharma decrypter tool:
1. Ensure the decrypter does not contain malicious code (a ransomware recovery company should be able to help you with this).
2. Disable anti-virus software on the machine you will be running the tool from. This includes Microsoft Defender.
3. The tool provided by the threat actors is a scanning tool. Connect all the encrypted files to the system you are going to be running the scanner tool from. This includes mapping network shares and attaching external hard drives. This step is critical to ensure the scanning tool picks up all the public keys in the files you want decrypted.
4. Right click the decryption executable file and run as administrator
5. A dialog box will pop up. Click ‘Scan PC’ to begin the scan.
6. The scan will start picking up encrypted files and also count the number of public keys it finds.
7. When the scan is finished the output file on the screen is your public key.
8. Save the key as a text file to a location of your choosing by clicking the ‘Save to File’ button and naming the file.
9. Email the text file with the public key back to the threat actor.
10. If they honor the agreement, they will send you back the private key needed to unlock your files. Copy the key to a safe place.
11. Open the same scanning tool again as an administrator on the system you scanned from.
12. For the decryption method, you have two options:
- Decrypt all: decrypts all drive letters accessible from the system. To decrypt all, click the ‘Decrypt’ button in the main window.
- Decrypt folder: decrypter only a folder of your choosing. To decrypt only a folder, click the ‘…’ button in the main window and navigate to the folder you want to decrypt.
13. Paste the private key into the text box or use the ‘Load from file’ option to use a text file to load the private key. When copying, make sure you don’t copy any spaces as this could influence the process.
14. The default options are ‘Delete encrypted files after decryption’ and ‘Overwrite existing files’. If you haven’t made a backup of the encrypted files and have enough space on the system you are decrypting, it is recommended to uncheck ‘Delete encrypted files after decryption’.
15. Click ‘Ok’ to start decrypting.
16. If the correct key was input, you will notice the decrypted file count is increasing.
17. When the process is finished, a dialog box will pop up indicating the decryption is complete and it also tells you how many files were decrypted.
This Dharma decryption tool and private key is only available if the victim chooses to pay the ransom as a method to unlock their encrypted files.
How long does it take to recover from a Dharma ransomware attack?
There are several factors that contribute to the time it takes to recover from a Dharma attack. These include:
- Cleaning the environment from malware
- Securing vulnerabilities
- Negotiation time
- Compliance checks & making the ransom payment
- Scanning for the public key
- Decrypting the data
- Size of the network
- Number of files, file sizes & types
- Backing up and verifying the data
What attack vectors did Dharma ransomware use?
Dharma ransomware primarily exploits unsecured RDP ports through brute force and dictionary attacks or by purchasing stolen credentials online through the dark web.
In addition, phishing emails containing malicious links or attachments have been used as an attack vector.
The Dharma ransomware virus is also capable of disguising itself as an antivirus installation to evade detection.
Does Dharma ransomware steal data?
Based on our internal forensic investigations and additional research, there has been no evidence that Dharma ransomware attacks are known to steal data while the threat actors are on the victim network.
However, since ransomware threat actors are constantly changing tactics, it is still critical to conduct a forensic investigation.
Preserving evidence from Dharma ransomware
In order to determine what the attackers removed from your network, you will need a forensic investigation performed. If you are considering a forensic investigation, it is important to preserve the evidence as soon as possible.
Here are the steps to preserve the forensic evidence:
- Do not shut down the computer or server as this will erase some artifacts
- Create a forensically sound image and take it offline
- Download firewall, VPN, and remote software logs
- Document all information pertaining to the ransomware attack
Complete instructions on preserving ransomware evidence can be found as part of the ransomware forensics process.
Why choose Proven Data Dharma ransomware recovery?
Businesses that suffer downtime from a ransomware attack need a proven, time-tested solution to resume operations. That’s why we provide 24/7 access to staff who have significant experience recovering from the Dharma ransomware variant.
Our firm understanding of the Dharma ransomware from our vast experience guides you to make informed decisions for your business. Understanding the attack vectors, threat actor profile, and negotiation expectations are essential to fully recover from the attack.
To meet compliance needs, we adopted a sanctions compliance program to ensure we are making ransom payments on behalf of our clients responsibly. At the service’s conclusion, we provide you with an incident and compliance report that can be used for insurance or law enforcement reporting purposes.
If you are looking for a transparent experience from a professional ransomware incident response company to help you move past your unfortunate Dharma cyber incident, we are here to help.
Dharma Ransomware FAQ
For later versions after 2017, there are currently no publicly available Dharma ransomware decryption tools to assist victims unlock their files.
If your files are encrypted by Dharma, you may have to recover your data by:
- Recreating the data from scratch
- Restoring from backups
- Paying the ransom
No, it is currently not possible to decrypt Dharma encrypted files without paying the ransom. However, there are some file types that can be repaired. You may ask a Proven Data representative about those file types.
Dharma ransomware tends to have a high success rate of data restoration after paying the ransom and going through the decryption process.
Compared to other types of ransomware, the steps required to successfully restore your data are a bit more complicated.
Here are some file types which may have problems decrypting, or could require further troubleshooting:
- VHDX/VHD images
Paying the ransom in exchange for the decryption key does not always guarantee that a functional decryption key will be delivered. However, using the threat intelligence we have gathered from previous Dharma ransomware cases, we can determine the threat actor’s past reputation and risk for data corruption to help you make informed decisions.
In 2020 our records indicate that Dharma delivered the decryption tool after the first ransom payment on 85.7% of cases. In the other 14.3%, the threat actors demanded a second payment after agreeing to an amount.