Threat Database Ransomware Dharma 2017 Ransomware

Dharma 2017 Ransomware

By GoldSparrow in Ransomware

Threat Scorecard

Ranking: 6,045
Threat Level: 100 % (High)
Infected Computers: 26,271
First Seen: November 17, 2016
Last Seen: September 11, 2023
OS(es) Affected: Windows

The Dharma 2017 Ransomware seems to represent a new generation of threats on the Dharma family of ransomware, which has been responsible for numerous encryption ransomware Trojans in the last year. The Dharma 2017 Ransomware Trojans were released in mid-August 2017. The Dharma 2017 Ransomware is being delivered to victims through the use of spam email messages and compromised websites, which use exploit kits like the RIG Exploit Kit to infect the visitors' computers. The Dharma 2017 Ransomware is very similar to numerous other encryption ransomware Trojans released previously in the Dharma family of ransomware and is likely to share most of the same code.

The Dharma 2017 Ransomware is an Updated Version or the Dharma Ransomware

There are various changes to the Dharma 2017 Ransomware from previous Dharma variants, however. The Dharma 2017 Ransomware has changed the way it connects to its Command and Control servers and how it carries out its attacks. Furthermore, the Dharma 2017 Ransomware has advanced obfuscation layers that prevent malware researchers from studying it in detail. The Dharma 2017 Ransomware attacks have been restricted to Europe, North America, and South America mostly. It is likely, however, that the Dharma 2017 Ransomware attacks will spread to other countries. For now, the bulk of the Dharma 2017 Ransomware activity is centered in the United States and the United Kingdom.

There are Various Versions of the Dharma Ransomware

There are several variants of the Dharma 2017 Ransomware. These variants are nearly identical but have very slight differences that lead PC security analysts to differentiate between them. One of the main characteristics in which the different strands of the Dharma 2017 Ransomware can be differentiated from each other is by the file extension that they use to identify the files compromised by the attack:

  • The Dharma 2017 Ransomware Type A adds the '.zzzzz' extension.
  • The Dharma 2017 Ransomware Type B adds the '.cezar' extension.
  • The Dharma 2017 Ransomware Type C adds the '.cesar' extension.

The above file extensions are the three main strains of the Dharma 2017 Ransomware that are active currently. They will each add a different file extension to the end of the targeted file. Like most encryption ransomware Trojans, the Dharma 2017 Ransomware and its variants will target the user-generated files on the victim's computer. Some of the file types that the Dharma 2017 Ransomware will target include audio, video, images, spreadsheets, Microsoft Office documents, databases, and numerous other user-generated files (generally avoiding the files that the Windows operating system relies on to function properly).

How Con Artists may Profit from the Dharma 2017 Ransomware and Similar Ransomware Attacks

After encrypting the victim's files, the Dharma 2017 Ransomware will deliver a ransom note to the victim. The Dharma 2017 Ransomware's ransom notes take the form of text and HTML files named 'README,' which instruct the victims about the attack and ask them to pay a large ransom through Bitcoins. Computer users must refrain from paying the Dharma 2017 Ransomware ransom. There are several reasons for this:

  1. The people responsible for attacks like the Dharma 2017 Ransomware rarely will keep their word to provide the decryption key in exchange for the payment. These people are just as likely to ignore the victim or ask for more money after the payment has been carried out.
  2. Paying the Dharma 2017 Ransomware ransom allows con artists to continue creating and developing threats like the Dharma 2017 Ransomware, to carry out more attacks on innocent computers.
  3. Once the victims of the Dharma 2017 Ransomware attack demonstrate a willingness to pay, it is very likely that they will be targeted continually in future attacks.

Computer users should use file backups to ensure that they can recover their files quickly after a Dharma 2017 Ransomware infection. If the PC users can restore their files from a backup, then the people responsible for the Dharma 2017 Ransomware lose any power that allows them to demand a ransom payment.

Update November 5th, 2018 — '.adobe File Extension' Ransomware

The '.adobe File Extension' Ransomware is classified as a new variant of the Dharma 2017 Ransomware that emerged on November 5th, 2018. The '.adobe File Extension' Ransomware features small changes in the way that the data is encrypted, there are new command servers, and the threat adds a new file marker to the encrypted data containers. The '.adobe File Extension' Ransomware is spread among PC users utilizing the old and proven tactic where emails carry macro-enabled documents that install the '.adobe File Extension' Ransomware in the system background. As the name suggests, the most notable modification of this cyber-threat behavior is the inclusion of the '.adobe' marker. Earlier releases include the 'java File Extension' Ransomware and the '.bip File Extension' Ransomware. Computer security researchers alerted that the '.adobe File Extension' Ransomware removes the System Restore points, the Shadow Volume snapshots and encrypts data securely. There may be no way to recuperate your data without using backup copies or being provided with a decryptor from the threat creators. The '.adobe File Extension' Ransomware Trojan is configured to offer decryption services via the 'badbusiness@tutanota.de' email account. For example, the encrypted version of 'Ottawa.jpeg' is renamed to 'Ottawa.jpeg.id-1XS9TF24.[badbusiness@tutanota.de].adobe' and appears as a generic white icon. We recommend users avoid negotiations with the Dharma developers and boot backups instead. The Dharma Ransomware is operated as a business platform that enables many threat actors to push slightly altered versions of the main Dharma malware. PC users should expect to see new variants of the Trojan in the future. You need to install a good backup manager to protect your data.

Update November 6th, 2018 — '.tron File Extension' Ransomware

The '.tron File Extension' Ransomware belongs to the Dharma 2017 Ransomware family of cyber-threats. Home PC users reported inaccessible data with the '.tron' extension on November 6th, 2018, and that is when the '.tron File Extension' Ransomware was added to AV databases. The research into these cases revealed that users were compromised by a new variant of Dharma, which was dropped by a new Trojan dropper that has not been associated with the Dharma 2017 Ransomware in the past. The new Trojan dropper component was written on the .NET programming language and featured a very small size. You may be familiar with the .NET Framework that comes with the Windows OS and allows programs to use resources from Microsoft to execute various tasks. The same resources are exploited by the '.tron File Extension' Ransomware to compromise targeted data and avoid detection by AV engines. The new variant of Dharma is named after the most obvious trait that infected users are likely to notice. The file cryptor at hand appends the string '.id-.[xtron@cockli].tron' to the filenames and something like 'Darwin's Bark Spider.png' might be renamed to 'Darwin's Bark Spider.png.id-01BR7KN9.[xtron@cockli].tron.' The ransom note is the same as earlier variants of Dharma, but the threat authors use new command servers and the 'xtron@cockli' email address. The '.tron File Extension' Ransomware may be distributed by emails and free games from unreliable sites. AV companies use the following detection names for the '.tron File Extension' Ransomware:

Artemis!9F3EA1850F9D
Gen:Variant.Ransom.Crysis.67
HEUR:Trojan.MSIL.Inject.gen
Ransom_CRYSIS.THAAOGAH
TR/Inject.gczsb
Trojan.MSIL.Inject.4!c
Trojan.Win32.Z.Razy.1093632.H
Trojan:Win32/Occamy.B
W32/Trojan.ZDIW-6475
a variant of MSIL/Packed.Babel.I
malicious.986562
malicious_confidence_90% (W)

Update November 11th, 2018 — '.back File Extension' Ransomware

The '.back File Extension' Ransomware is a variant in the Dharma 2017 Ransomware family, which first appeared in August of 2017. Since its initial release, the Dharma 2017 Ransomware family has spawned numerous threats, which include the '.back File Extension' Ransomware, released on November 11, 2018. Threats like the '.back File Extension' Ransomware are distributed in a wide variety of ways, including the use of spam email tactics, exploit kits, and by taking advantage of vulnerabilities in the victims' computers.

Why the '.back File Extension' Ransomware Makes the User's Files Useless

The '.back File Extension' Ransomware, like other Dharma 2017 variants, will use a strong encryption algorithm to make the victim's files inaccessible. The '.back File Extension' Ransomware targets the user-generated files in these attacks, which may include files with the following file extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The '.back File Extension' Ransomware delivers a ransom note demanding a ransom payment, often taking the form of a TXT or HTML file after encrypting the victim's files. These ransom notes demand that the victim pays for the decryption key. Computer users should refrain from making these payments, which commonly expose the victim to additional tactics or enable the criminals to continue creating these threats and distributing them to additional victims.

The '.back File Extension' Ransomware Ransom Request

There are very slight differences between the '.back File Extension' Ransomware and its predecessors in the Dharma 2017 Ransomware family. It is likely that the '.back File Extension' Ransomware was created using a ransomware builder kit, which allows the criminals to create their own, custom versions of the Dharma 2017 Ransomware Trojan. The '.back File Extension' Ransomware can be recognized easily because, as its name implies, it will mark any files encrypted by the attack by adding the file extension '.back' to each affected file's name. The '.back File Extension' Ransomware also will replace the file's name with eight random characters and add its contact email address, back@decryption.cc, to the file's name. The '.back File Extension' Ransomware's ransom note is delivered in a text file named 'FILES ENCRYPTED.txt' that will be displayed on the affected computer's desktop.

Protecting Your Data from the '.back File Extension' Ransomware

The best protection from threats like the '.back File Extension' Ransomware is to have file backups stored on the cloud or an external device. Computer users also should use a strong security program to prevent the '.back File Extension' Ransomware from being installed in the first place. Monitoring and handling spam emails and online advertisements safely are also fundamental aspects of preventing the '.back File Extension' Ransomware attacks.

Update November 28th, 2018 — 'cyberwars@qq.com' Ransomware

The 'cyberwars@qq.com' Ransomware is a working name that serves researchers as a way to denote a new variant of the Dharma 2017 Ransomware. The 'cyberwars@qq.com' Ransomware was reported on November 27th, 2018. The Trojan at hand is distributed via spam emails and appears to produce the same ransom note as the one used by the 'suppfirecrypt@qq.com' Ransomware and the '.myjob File Extension' Ransomware. The 'cyberwars@qq.com' Ransomware behaves as a standard crypto-threat and applies a custom AES-256 cipher to the targeted data on your local memory drives. The 'cyberwars@qq.com' Ransomware uses a unique encryption key to lock your content and sends the decryption key to its command servers via an encrypted connection. The 'cyberwars@qq.com' Ransomware is observed to rename the files by adding the '.[cyberwars@qq.com].war' extension. For example, 'YIN AND YANG.jpeg' is renamed to 'YIN AND YANG.jpeg.[cyberwars@qq.com].war.' The Trojan does not remove data on the infected computers, but your files are not accessible, and a ransom note will appear on the desktop. The ransom notification is provided as 'FILES ENCRYPTED.TXT' and reads:

'all your data has been locked us
You want to return?
write email cyberwars@qq.com'

At this time, there is no gratuitous decryptor available for the people affected by the 'cyberwars@qq.com' Ransomware and similar Dharma-variants. You may be tempted to contact the threat actors via 'cyberwars@qq.com,' but you should attempt to restore your data first. Data backups, the System Restore disks, emails, file hosting services, and backup DVDs can help you rebuild your files infrastructure without succumbing to the ransomware operators. PC users should avoid spam emails that urge them to download a file and open it. Use a trusted anti-malware instrument to clean the infected devices.

Update November 30th, 2018 — 'parambingobam@cock.li' Ransomware

This update concerns several new variants of the Dharma 2017 Ransomware that have surfaced on November 30th, 2018. The new variants of Dharma remained to be spread via spam emails and corrupted Microsoft Word documents. The update at hand includes information from several independent cybersecurity researchers who perceived that they had many similarities. The first variant to be discussed is the 'parambingobam@cock.li' Ransomware Trojan that appends the '.[parambingobam@cock.li].adobe' extension to the filenames. The second variant is the 'mercarinotitia@qq.com' Ransomware that appends the '[mercarinotitia@qq.com].adobe' extension and uses a different ransom note compared to the standard note we have come to expect from Dharma.

The 'parambingobam@cock.li' Ransomware is known to use the typical ransom note from Dharma-based threats, provide users with an identification string, and feature two emails for contact — 'parambingobam@cock.li' and 'bufytufylala@tuta.i.' The 'parambingobam@cock.li' Ransomware behaves like other Dharma-based threats and employs encryption technologies not only to lock data but to protect its transmissions to the command servers. On the other hand, the 'mercarinotitia@qq.com' Ransomware is built using code from the Crysis Ransomware, and the ransom note is different entirely. The reason the 'mercarinotitia@qq.com' Ransomware is included in this update is that it uses almost the same file marker — '[mercarinotitia@qq.com].adobe' and most of the program is derived from Dharma. Both variants mentioned here rename the files the same way and encode the same range of data containers. Also, the System Restore points and the Shadow Volume snapshots are removed through the use of the command line utility.

The ransom note used by the 'mercarinotitia@qq.com' Ransomware is the same we have seen with the 'paydecryption@qq.com' Ransomware and the '.cccmn File Extension' Ransomware:

'All your data has been locked us
you want to return?
write email mercarinotitia@qq.com'

Detection names for the 'parambingobam@cock.li' Ransomware include the following:

HEUR/QVM20.1.572F.Malware.Gen
Ransom-WW!801175D89E13
Ransom:Win32/Wadhrama.C
Trojan ( 00519f781 )
Trojan.Ransom.Crysis.E
Trojan.Win32.Ransom.94720.F
W32/Trojan.ILHO-9216
Win.Trojan.Dharma-6668198-0
Win32.Trojan-Ransom.VirusEncoder.A
malicious_confidence_100% (W)

Update November 30th, 2018 — 'audit@cock.li' Ransomware

This update concerns a new variant of the Dharma 2017 Ransomware that has been identified by a computer security researcher named Michael Gillespie. The 'audit@cock.li' Ransomware is identical to the Dharma 2017 variants listed above with only two notable differences. The 'audit@cock.li' Ransomware is programmed to write a new email account and a new file extension to the encrypted data. The cyber-threat at hand is known to attach the '.[audit@cock.li].risk' extension and overwrite the targeted data. Other features of the 'audit@cock.li' Ransomware that should be taken into consideration are that it deletes the Shadow Volume snapshots and the System Restore points. Hence, the infected PC users need data backups from third-party applications if they want to recover without funding the development of new Dharma 2017 variants. The 'audit@cock.li' Ransomware Trojan renames files like 'Advanced Reservoir Engineering.epub' to 'Advanced Reservoir Engineering.epub.[audit@cock.li].risk.' The ransom note is presented in two formats — an HTML file and a TXT file both featuring the name 'FILES ENCRYPTED.' The HTML version features the standard Dharma 2017 message while the other is an example of an updated version associated with hybrid threats based on the Dharma 2017 and the Crysis Ransomware. The new version of the 'FILES ENCRYPTED.txt' includes only three lines that read:

'all your data has been locked us
You want to return?
write email audit@cock.li'

There are no other significant updates to the Dharma 2017 Ransomware except for the frequent change of command and control servers. The threat distributors continue to rely on spam emails and exploit kits primarily. There is no way to recover the affected data without using backup services and pre-made System Recovery disks.

Update December 5th, 2018 — 'admin@decryption.biz' Ransomware

The 'admin@decryption.biz' Ransomware is a new variant of the Dharma 2017 Ransomware that appeared in the first week of December 2018. The 'admin@decryption.biz' Ransomware appears to be a rather rushed release based on the 'audit@cock.li' Ransomware that used the '.risk' extension and the 'audit@cock.li' email addresses. The only major change in the 'admin@decryption.biz' Ransomware is that it appends the '.[Admin@decryption.biz].bkpx' extension. The 'admin@decryption.biz' Ransomware uses the same encryption method and drops the same message to the infected systems. Again, the only change in the note is that PC users are instructed to send an email to a new address. The threat locks access to images, audio, video, text, PDFs, eBooks and databases. Compromised devices remain operational, but your content can't be loaded by programs. For example, the video 'Mutant Year Zero.mp4' is renamed to 'Mutant Year Zero.mp4.[Admin@decryption.biz].bkpx' and can't be loaded by media players like VLC. The ransom note is reported to include the following text:

'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Admin@decryption.biz
Write this ID in the title of your message 1E857D00
In case of no answer in 24 hours write us to these e-mails:bigbro1@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment, we will send you the decryption tool that will decrypt all your files.'

The threat actors may receive a list of the encrypted files, and they may use the information to demand thousands of dollars if they suspect you have valuable and unprotected data on your machine. We recommend avoiding negotiations with the people behind the 'admin@decryption.biz' Ransomware as you might be tricked. The removal of the 'admin@decryption.biz' Ransomware is possible with the help of a credible anti-malware instrument. Detection names for the 'admin@decryption.biz' Ransomware Trojan include:

BehavesLike.Win32.Generic.bc
HEUR:Backdoor.MSIL.Androm.gen
ML.Attribute.HighConfidence
Trojan ( 00542f0b1 )
Trojan.Generic.D26ECAC3
Trojan.GenericKD.40815299
Win32/Backdoor.9cf
Win32:MalwareX-gen [Trj]
malware (ai score=89)

Update December 14th, 2018 — 'skynet45@tutanota.com' Ransomware

The 'skynet45@tutanota.com' Ransomware is a variant of the Dharma 2017 Ransomware that was reported on December 14th, 2018 by computer security researchers. The 'skynet45@tutanota.com' Ransomware is not an upgrade of the existing harmful code. The 'skynet45@tutanota.com' Ransomware is a modified Dharma copy that is tailored to the needs of the distributor associated with the program. As we have mentioned in the article listed above, the Dharma project is operated like a business where you have developers maintaining the core program and backend servers. The Dharma platform is open to other threat actors who are experienced in malware distribution and are interested in making an easy profit. The 'skynet45@tutanota.com' Ransomware is produced with a Dharma Ransomware builder and pushed to users via spam emails, fake advertisements, cracked shareware and pirated games primarily.

The 'skynet45@tutanota.com' Ransomware variant is reported to encipher standard data types like audio, video, databases, presentations, simple text, spreadsheets, images, eBooks and PDFs. The 'skynet45@tutanota.com' Ransomware is observed to attach the '.combo' extension to rename the files. For example, 'Eichbaum Pilsener.docx' is renamed to 'Eichbaum Pilsener.docx.combo.' Two standard ransom notes titled 'FILES ENCRYPTED.txt' and 'skynet45@tutanota.com.hta' are delivered to the user's desktop, and both refer users to the 'skynet45@tutanota.com' and the 'skynet45@cock.li' email accounts for available decryption services. Affected PC users should use data backups, emails and file hosting services to rebuild their files and avoid making payments to the cybercriminals. You should be able to remove the 'skynet45@tutanota.com' Ransomware using an up-to-date security instrument.

SpyHunter Detects & Remove Dharma 2017 Ransomware

File System Details

Dharma 2017 Ransomware may create the following file(s):
# File Name MD5 Detections
1. Info.hta ce5451a17a72300ed0f75e3d8de29708 36
2. Info.hta 58a93aa9dcbd009d4069b65c54bcd80f 35
3. Info.hta bdc3fca6533c4b1bccc953e7b02137d4 33
4. Info.hta 53e186e8ec9c89845580515b57f42645 31
5. Info.hta 0d4f31aed025f9bb79b93cc87160438e 31
6. Info.hta 052913d7a6a09437d38d00d747887966 27
7. Info.hta 82677bdaa1ffd8b2711deaf20e901e12 19
8. Info.hta 8a220990e2b0777f21bd4f67e7579196 17
9. Info.hta bca4f4c05300a60d4f8ce9822ae252bb 17
10. Info.hta 940ce88a73a6a09056ef8485adf9a251 17
11. Info.hta 9b8ff0f3c4a29d9f7e469df6ed26e876 16
12. Info.hta afe42573db1509a8af29d322ac68a212 15
13. Info.hta 46c2099abfb5bf6232a4cebd4c6315aa 15
14. Info.hta c67cfb21a35d0f0d87695cec41091955 15
15. Info.hta 34cab96384ec9ced3bf3622ad28c3a64 15
16. Info.hta 92e58f01a7f258403672f6e9409bf9ba 15
17. Info.hta 1b8e9834e05471e504f75eae50ade90d 13
18. Info.hta 0c9c7d1ecf357c70af0836064885faea 12
19. Info.hta 20abbe33e018ca4cd97e41f8cb82bb2d 12
20. Info.hta 0b707f178039ee3e199c9b46c0f25467 12
21. Info.hta 65f5f994d7f36f7ed60eb4e812300f05 12
22. Info.hta 6dddb8c4f20b570a0200beca9bb1f7f2 12
23. Info.hta 7ee01de4ec71ba5f66d959faca1af8fa 11
24. payload.exe d1487253cee49b68aebae1481e34f8fd 11
25. 1801.exe 44d550f8ac8711121fe76400727176df 3
26. file.exe 0bac30f9c6da0ca96dc28d658ec2ecf4 2
27. file.exe b84e41893fa55503a84688b36556db05 1
More files

2 Comments

Can be recover dharma(.cezar family),ce399eb5(3442516480@qq.com).pdf encrypted files can decrypt

Carlos Garrido Reply

I have that ransomware (dharma(.cezar family),ce399eb5(3442516480@qq.com).pdf), can you help me to recover decrypt the files?
thanks a lot

Trending

Most Viewed

Loading...