What Is Dharma Ransomware and How to Remove It [Guide]

What Is Dharma Ransomware and How to Protect Your Business from It

Dharma / CrySIS is a widely distributed type of crypto ransomware. This ransomware is a descendant of the cezar family and the main variants circulating today arrived in the wild in 2016.

Some of the early variants were broken by Kaspersky and ESET, and a free decryptor was published. Unfortunately, new variants of Dharma ransomware are not currently decryptable, as the malware code has continued to evolve and gain broad distribution.

What Are the Common Attack Vectors for Dharma Ransomware

The top attack vector for Dharma ransomware is via Remote Desktop Protocol ports or RDP. RDP a port that is commonly used for employees or services providers to access a network remotely. RDP access sidesteps endpoint protection, making lateral proliferation between endpoints, partitioned networks, and backup systems much easier to accomplish.

Attackers can breach RDP via a few different methods:

  • By using port scanning via websites like Shodan and then subsequently brute-forcing RDP sessions until credentials are compromised.

  • Purchasing and using brute-forced credentials for sale on sites like XDedic.

  • Phishing an employee of the company to gain access and control of their machine. Then using that access to brute-force RDP access from inside the network.

There are tens of thousands of corporate RDP credentials available for sale for as little as $3 on dark web marketplaces. The wide availability of hacked RDP credentials is a low-hanging fruit for cybercriminals looking to launch ransomware attacks.

While plenty of large organizations continue to leave this vector unsecured, smaller companies are equally complacent. Most assume they are too small to be targeted and don’t appreciate just how easily targeted they are. Many also lack the resources, people or knowledge of how to properly secure access.

How Does Dharma Ransomware Encrypt Files

Dharma encrypts files using an AES 256 algorithm. The AES key is also encrypted with an RSA 1024. This encrypted AES key is stored at the end of the encrypted file.

The encryption process typically starts with mapped drives before moving onto the root of the OS drive, while also deleting the volume shadow copies. The encrypted files will have an id-[alpha-numeric ID #].[[email protected]].[dharma variant file extension].

The alpha-numeric ID number is used to identify the system, sort of like an index sticky note the hacker uses to remember the machines that were encrypted.

Recent Dharma ransomware file extensions include:

.BIP .combo .gamma .arrow .betta .vanss .audit .adobe .fire .bear .back .cccmn .tron .like .gdb .myjob .risk .santa .brrr

A ransom notice in the form of a .HTA file is left prominently on the encrypted machine so that the victim can find it. Below is an example of what a Dharma Ransom note looks like

How Does Paying for a Decryption Key Work

Recovering from Dharma Ransomware by engaging and/or paying the hackers is a complicated process. Language and time barriers create complexity for victims that must communicate directly with the hackers.

Additionally, the decryptor tool is very complicated and nuanced to operate. As Dharma has gotten more broadly distributed, more and more cyber criminal groups have been distributing it. These groups are less sophisticated and do not communicate well, further complicating recovery.

How Do I Protect My Business from Dharma Ransomware?

Brute forcing remote desktop services remains the top attack vector for Dharma Ransomware. To protect yourself from attack, you must ensure that these services are secure.

Popular ways to secure RDP include:

  • Two-factor authentication (2FA): The vast majority of corporate ransomware attacks could be thwarted by enabling two-factor authentication on remote sessions and all remotely-accessible accounts.

  • Limit access: Limit access by putting RDP behind a firewall, using a VPN to access it, changing the default port, and/or allowing access by a select whitelist of IP ranges can help mitigate the risk of compromise. Also, consider lockout provisions to cut off brute force attempts.

  • Endpoint & alternative solutions: Today’s endpoint solutions can detect anomalies in network usage (such as an in-office workstation attempting an RDP session) and stop them before damage is done.

Besides protecting your business from attack, it is critical to have adequate backups and a thorough Disaster Recovery (DR) & Incident Response (IR) plans.

Should RDP configurations become compromised, it’s critical your DR and IR plans are codified and up to date. Backup systems should have up-to-date versions of all data accessible on-premises, in the cloud and on systems located separately from the corporate network.

Access to these backups should be properly partitioned and only accessible by a select group of security administrators, and access to administer them protected by 2FA. IR firms should be kept on retainer to minimize costs and time to recover in the event of a breach.

Average Dharma Ransomware Downtime and Cost

On average, data recovery rates for Dharma ransomware are high. The logistics of running the decryption tool after a ransom payment is made are time-consuming though, and contribute to higher than normal recovery times.

Recently, Dharma has been getting more broadly distributed to less sophisticated cyber criminals, and we expect the result of this will be data recovery rates that fall over time. The ability to forecast the outcome of a case based on the persona of the hacker and type of ransomware is extremely important, and we encourage any victim to contact us so that we may assess your individual case.

*** This is a Security Bloggers Network syndicated blog from Blog | Latest Ransomware News and Trends | Coveware authored by Bill Siegel. Read the original post at:

Avatar photo

Bill Siegel

Bill Siegel is the CEO and Co-founder of Coveware, a ransomware incident response firm. Before founding Coveware, Bill Siegel was the CFO of SecurityScorecard, a NY based cyber security ratings company. Prior to SecurityScorecard, Bill was the CEO of Secondmarket, and served as the Head of NASDAQ Private Market following Nasdaq’s acquisition of SecondMarket in 2015.

bill-siegel has 72 posts and counting.See all posts by bill-siegel