Dharma 2017 Ransomware

The Dharma 2017 Ransomware seems to represent a new generation of threats on the Dharma family of ransomware, which has been responsible for numerous encryption ransomware Trojans in the last year. The Dharma 2017 Ransomware Trojans were released in mid-August 2017. The Dharma 2017 Ransomware is being delivered to victims through the use of spam email messages and compromised websites, which use exploit kits like the RIG Exploit Kit to infect the visitors' computers. The Dharma 2017 Ransomware is very similar to numerous other encryption ransomware Trojans released previously in the Dharma family of ransomware and is likely to share most of the same code.

The Dharma 2017 Ransomware is an Updated Version or the Dharma Ransomware

There are various changes to the Dharma 2017 Ransomware from previous Dharma variants, however. The Dharma 2017 Ransomware has changed the way it connects to its Command and Control servers and how it carries out its attacks. Furthermore, the Dharma 2017 Ransomware has advanced obfuscation layers that prevent malware researchers from studying it in detail. The Dharma 2017 Ransomware attacks have been restricted to Europe, North America, and South America mostly. It is likely, however, that the Dharma 2017 Ransomware attacks will spread to other countries. For now, the bulk of the Dharma 2017 Ransomware activity is centered in the United States and the United Kingdom.

There are Various Versions of the Dharma Ransomware

There are several variants of the Dharma 2017 Ransomware. These variants are nearly identical but have very slight differences that lead PC security analysts to differentiate between them. One of the main characteristics in which the different strands of the Dharma 2017 Ransomware can be differentiated from each other is by the file extension that they use to identify the files compromised by the attack:

• The Dharma 2017 Ransomware Type A adds the '.zzzzz' extension.
• The Dharma 2017 Ransomware Type B adds the '.cezar' extension.
• The Dharma 2017 Ransomware Type C adds the '.cesar' extension.

The above file extensions are the three main strains of the Dharma 2017 Ransomware that are active currently. They will each add a different file extension to the end of the targeted file. Like most encryption ransomware Trojans, the Dharma 2017 Ransomware and its variants will target the user-generated files on the victim's computer. Some of the file types that the Dharma 2017 Ransomware will target include audio, video, images, spreadsheets, Microsoft Office documents, databases, and numerous other user-generated files (generally avoiding the files that the Windows operating system relies on to function properly).

How Con Artists may Profit from the Dharma 2017 Ransomware and Similar Ransomware Attacks

After encrypting the victim's files, the Dharma 2017 Ransomware will deliver a ransom note to the victim. The Dharma 2017 Ransomware's ransom notes take the form of text and HTML files named 'README,' which instruct the victims about the attack and ask them to pay a large ransom through Bitcoins. Computer users must refrain from paying the Dharma 2017 Ransomware ransom. There are several reasons for this:

1. The people responsible for attacks like the Dharma 2017 Ransomware rarely will keep their word to provide the decryption key in exchange for the payment. These people are just as likely to ignore the victim or ask for more money after the payment has been carried out.
2. Paying the Dharma 2017 Ransomware ransom allows con artists to continue creating and developing threats like the Dharma 2017 Ransomware, to carry out more attacks on innocent computers.
3. Once the victims of the Dharma 2017 Ransomware attack demonstrate a willingness to pay, it is very likely that they will be targeted continually in future attacks.

Computer users should use file backups to ensure that they can recover their files quickly after a Dharma 2017 Ransomware infection. If the PC users can restore their files from a backup, then the people responsible for the Dharma 2017 Ransomware lose any power that allows them to demand a ransom payment.

Update November 5th, 2018 — '.adobe File Extension' Ransomware

The '.adobe File Extension' Ransomware is classified as a new variant of the Dharma 2017 Ransomware that emerged on November 5th, 2018. The '.adobe File Extension' Ransomware features small changes in the way that the data is encrypted, there are new command servers, and the threat adds a new file marker to the encrypted data containers. The '.adobe File Extension' Ransomware is spread among PC users utilizing the old and proven tactic where emails carry macro-enabled documents that install the '.adobe File Extension' Ransomware in the system background. As the name suggests, the most notable modification of this cyber-threat behavior is the inclusion of the '.adobe' marker. Earlier releases include the 'java File Extension' Ransomware and the '.bip File Extension' Ransomware. Computer security researchers alerted that the '.adobe File Extension' Ransomware removes the System Restore points, the Shadow Volume snapshots and encrypts data securely. There may be no way to recuperate your data without using backup copies or being provided with a decryptor from the threat creators. The '.adobe File Extension' Ransomware Trojan is configured to offer decryption services via the 'badbusiness@tutanota.de' email account. For example, the encrypted version of 'Ottawa.jpeg' is renamed to 'Ottawa.jpeg.id-1XS9TF24.[badbusiness@tutanota.de].adobe' and appears as a generic white icon. We recommend users avoid negotiations with the Dharma developers and boot backups instead. The Dharma Ransomware is operated as a business platform that enables many threat actors to push slightly altered versions of the main Dharma malware. PC users should expect to see new variants of the Trojan in the future. You need to install a good backup manager to protect your data.

Update November 6th, 2018 — '.tron File Extension' Ransomware

The '.tron File Extension' Ransomware belongs to the Dharma 2017 Ransomware family of cyber-threats. Home PC users reported inaccessible data with the '.tron' extension on November 6th, 2018, and that is when the '.tron File Extension' Ransomware was added to AV databases. The research into these cases revealed that users were compromised by a new variant of Dharma, which was dropped by a new Trojan dropper that has not been associated with the Dharma 2017 Ransomware in the past. The new Trojan dropper component was written on the .NET programming language and featured a very small size. You may be familiar with the .NET Framework that comes with the Windows OS and allows programs to use resources from Microsoft to execute various tasks. The same resources are exploited by the '.tron File Extension' Ransomware to compromise targeted data and avoid detection by AV engines. The new variant of Dharma is named after the most obvious trait that infected users are likely to notice. The file cryptor at hand appends the string '.id-.[xtron@cockli].tron' to the filenames and something like 'Darwin's Bark Spider.png' might be renamed to 'Darwin's Bark Spider.png.id-01BR7KN9.[xtron@cockli].tron.' The ransom note is the same as earlier variants of Dharma, but the threat authors use new command servers and the 'xtron@cockli' email address. The '.tron File Extension' Ransomware may be distributed by emails and free games from unreliable sites. AV companies use the following detection names for the '.tron File Extension' Ransomware:

Artemis!9F3EA1850F9D
Gen:Variant.Ransom.Crysis.67
HEUR:Trojan.MSIL.Inject.gen
Ransom_CRYSIS.THAAOGAH
TR/Inject.gczsb
Trojan.MSIL.Inject.4!c
Trojan.Win32.Z.Razy.1093632.H
Trojan:Win32/Occamy.B
W32/Trojan.ZDIW-6475
a variant of MSIL/Packed.Babel.I
malicious.986562
malicious_confidence_90% (W)

Update November 11th, 2018 — '.back File Extension' Ransomware

The '.back File Extension' Ransomware is a variant in the Dharma 2017 Ransomware family, which first appeared in August of 2017. Since its initial release, the Dharma 2017 Ransomware family has spawned numerous threats, which include the '.back File Extension' Ransomware, released on November 11, 2018. Threats like the '.back File Extension' Ransomware are distributed in a wide variety of ways, including the use of spam email tactics, exploit kits, and by taking advantage of vulnerabilities in the victims' computers.

Why the '.back File Extension' Ransomware Makes the User's Files Useless

The '.back File Extension' Ransomware, like other Dharma 2017 variants, will use a strong encryption algorithm to make the victim's files inaccessible. The '.back File Extension' Ransomware targets the user-generated files in these attacks, which may include files with the following file extensions:

.jpg, .jpeg, .raw, .tif, .gif, .png, .bmp, .3dm, .max, .accdb, .db, .dbf, .mdb, .pdb, .sql, .dwg, .dxf, .cpp, .cs, .h, .php, .asp, .rb, .java, .jar, .class, .py, .js, .aaf, .aep, .aepx, .plb, .prel, .prproj, .aet, .ppj, .psd, .indd, .indl, .indt, .indb, .inx, .idml, .pmd, .xqx, .xqx, .ai, .eps, .ps, .svg, .swf, .fla, .as3, .as, .txt, .doc, .dot, .docx, .docm, .dotx, .dotm, .docb, .rtf, .wpd, .wps, .msg, .pdf, .xls, .xlt, .xlm, .xlsx, .xlsm, .xltx, .xltm, .xlsb, .xla, .xlam, .xll, .xlw, .ppt, .pot, .pps, .pptx, .pptm, .potx, .potm, .ppam, .ppsx, .ppsm, .sldx, .sldm, .wav, .mp3, .aif, .iff, .m3u, .m4u, .mid, .mpa, .wma, .ra, .avi, .mov, .mp4, .3gp, .mpeg, .3g2, .asf, .asx, .flv, .mpg, .wmv, .vob, .m3u8, .dat, .csv, .efx, .sdf, .vcf, .xml, .ses, .qbw, .qbb, .qbm, .qbi, .qbr , .cnt, .des, .v30, .qbo, .ini, .lgb, .qwc, .qbp, .aif, .qba, .tlg, .qbx, .qby , .1pa, .qpd, .txt, .set, .iif, .nd, .rtp, .tlg, .wav, .qsm, .qss, .qst, .fx0, .fx1, .mx0, .fpx, .fxr, .fim, .ptb, .ai, .pfb, .cgn, .vsd, .cdr, .cmx, .cpt, .csl, .cur, .des, .dsf, .ds4, , .drw, .eps, .ps, .prn, .gif, .pcd, .pct, .pcx, .plt, .rif, .svg, .swf, .tga, .tiff, .psp, .ttf, .wpd, .wpg, .wi, .raw, .wmf, .txt, .cal, .cpx, .shw, .clk, .cdx, .cdt, .fpx, .fmv, .img, .gem, .xcf, .pic, .mac, .met, .pp4, .pp5, .ppf, .nap, .pat, .ps, .prn, .sct, .vsd, .wk3, .wk4, .xpm, .zip, .rar.

The '.back File Extension' Ransomware delivers a ransom note demanding a ransom payment, often taking the form of a TXT or HTML file after encrypting the victim's files. These ransom notes demand that the victim pays for the decryption key. Computer users should refrain from making these payments, which commonly expose the victim to additional tactics or enable the criminals to continue creating these threats and distributing them to additional victims.

The '.back File Extension' Ransomware Ransom Request

There are very slight differences between the '.back File Extension' Ransomware and its predecessors in the Dharma 2017 Ransomware family. It is likely that the '.back File Extension' Ransomware was created using a ransomware builder kit, which allows the criminals to create their own, custom versions of the Dharma 2017 Ransomware Trojan. The '.back File Extension' Ransomware can be recognized easily because, as its name implies, it will mark any files encrypted by the attack by adding the file extension '.back' to each affected file's name. The '.back File Extension' Ransomware also will replace the file's name with eight random characters and add its contact email address, back@decryption.cc, to the file's name. The '.back File Extension' Ransomware's ransom note is delivered in a text file named 'FILES ENCRYPTED.txt' that will be displayed on the affected computer's desktop.

Protecting Your Data from the '.back File Extension' Ransomware

The best protection from threats like the '.back File Extension' Ransomware is to have file backups stored on the cloud or an external device. Computer users also should use a strong security program to prevent the '.back File Extension' Ransomware from being installed in the first place. Monitoring and handling spam emails and online advertisements safely are also fundamental aspects of preventing the '.back File Extension' Ransomware attacks.

Update November 28th, 2018 — 'cyberwars@qq.com' Ransomware

The 'cyberwars@qq.com' Ransomware is a working name that serves researchers as a way to denote a new variant of the Dharma 2017 Ransomware. The 'cyberwars@qq.com' Ransomware was reported on November 27th, 2018. The Trojan at hand is distributed via spam emails and appears to produce the same ransom note as the one used by the 'suppfirecrypt@qq.com' Ransomware and the '.myjob File Extension' Ransomware. The 'cyberwars@qq.com' Ransomware behaves as a standard crypto-threat and applies a custom AES-256 cipher to the targeted data on your local memory drives. The 'cyberwars@qq.com' Ransomware uses a unique encryption key to lock your content and sends the decryption key to its command servers via an encrypted connection. The 'cyberwars@qq.com' Ransomware is observed to rename the files by adding the '.[cyberwars@qq.com].war' extension. For example, 'YIN AND YANG.jpeg' is renamed to 'YIN AND YANG.jpeg.[cyberwars@qq.com].war.' The Trojan does not remove data on the infected computers, but your files are not accessible, and a ransom note will appear on the desktop. The ransom notification is provided as 'FILES ENCRYPTED.TXT' and reads:

'all your data has been locked us
You want to return?
write email cyberwars@qq.com'

At this time, there is no gratuitous decryptor available for the people affected by the 'cyberwars@qq.com' Ransomware and similar Dharma-variants. You may be tempted to contact the threat actors via 'cyberwars@qq.com,' but you should attempt to restore your data first. Data backups, the System Restore disks, emails, file hosting services, and backup DVDs can help you rebuild your files infrastructure without succumbing to the ransomware operators. PC users should avoid spam emails that urge them to download a file and open it. Use a trusted anti-malware instrument to clean the infected devices.

Update November 30th, 2018 — 'parambingobam@cock.li' Ransomware

This update concerns several new variants of the Dharma 2017 Ransomware that have surfaced on November 30th, 2018. The new variants of Dharma remained to be spread via spam emails and corrupted Microsoft Word documents. The update at hand includes information from several independent cybersecurity researchers who perceived that they had many similarities. The first variant to be discussed is the 'parambingobam@cock.li' Ransomware Trojan that appends the '.[parambingobam@cock.li].adobe' extension to the filenames. The second variant is the 'mercarinotitia@qq.com' Ransomware that appends the '[mercarinotitia@qq.com].adobe' extension and uses a different ransom note compared to the standard note we have come to expect from Dharma.

The 'parambingobam@cock.li' Ransomware is known to use the typical ransom note from Dharma-based threats, provide users with an identification string, and feature two emails for contact — 'parambingobam@cock.li' and 'bufytufylala@tuta.i.' The 'parambingobam@cock.li' Ransomware behaves like other Dharma-based threats and employs encryption technologies not only to lock data but to protect its transmissions to the command servers. On the other hand, the 'mercarinotitia@qq.com' Ransomware is built using code from the Crysis Ransomware, and the ransom note is different entirely. The reason the 'mercarinotitia@qq.com' Ransomware is included in this update is that it uses almost the same file marker — '[mercarinotitia@qq.com].adobe' and most of the program is derived from Dharma. Both variants mentioned here rename the files the same way and encode the same range of data containers. Also, the System Restore points and the Shadow Volume snapshots are removed through the use of the command line utility.

The ransom note used by the 'mercarinotitia@qq.com' Ransomware is the same we have seen with the 'paydecryption@qq.com' Ransomware and the '.cccmn File Extension' Ransomware:

'All your data has been locked us
you want to return?
write email mercarinotitia@qq.com'

Detection names for the 'parambingobam@cock.li' Ransomware include the following:

HEUR/QVM20.1.572F.Malware.Gen
Ransom-WW!801175D89E13
Ransom:Win32/Wadhrama.C
Trojan ( 00519f781 )
Trojan.Ransom.Crysis.E
Trojan.Win32.Ransom.94720.F
W32/Trojan.ILHO-9216
Win.Trojan.Dharma-6668198-0
Win32.Trojan-Ransom.VirusEncoder.A
malicious_confidence_100% (W)

Update November 30th, 2018 — 'audit@cock.li' Ransomware

This update concerns a new variant of the Dharma 2017 Ransomware that has been identified by a computer security researcher named Michael Gillespie. The 'audit@cock.li' Ransomware is identical to the Dharma 2017 variants listed above with only two notable differences. The 'audit@cock.li' Ransomware is programmed to write a new email account and a new file extension to the encrypted data. The cyber-threat at hand is known to attach the '.[audit@cock.li].risk' extension and overwrite the targeted data. Other features of the 'audit@cock.li' Ransomware that should be taken into consideration are that it deletes the Shadow Volume snapshots and the System Restore points. Hence, the infected PC users need data backups from third-party applications if they want to recover without funding the development of new Dharma 2017 variants. The 'audit@cock.li' Ransomware Trojan renames files like 'Advanced Reservoir Engineering.epub' to 'Advanced Reservoir Engineering.epub.[audit@cock.li].risk.' The ransom note is presented in two formats — an HTML file and a TXT file both featuring the name 'FILES ENCRYPTED.' The HTML version features the standard Dharma 2017 message while the other is an example of an updated version associated with hybrid threats based on the Dharma 2017 and the Crysis Ransomware. The new version of the 'FILES ENCRYPTED.txt' includes only three lines that read:

'all your data has been locked us
You want to return?
write email audit@cock.li'

There are no other significant updates to the Dharma 2017 Ransomware except for the frequent change of command and control servers. The threat distributors continue to rely on spam emails and exploit kits primarily. There is no way to recover the affected data without using backup services and pre-made System Recovery disks.

Update December 5th, 2018 — 'admin@decryption.biz' Ransomware

The 'admin@decryption.biz' Ransomware is a new variant of the Dharma 2017 Ransomware that appeared in the first week of December 2018. The 'admin@decryption.biz' Ransomware appears to be a rather rushed release based on the 'audit@cock.li' Ransomware that used the '.risk' extension and the 'audit@cock.li' email addresses. The only major change in the 'admin@decryption.biz' Ransomware is that it appends the '.[Admin@decryption.biz].bkpx' extension. The 'admin@decryption.biz' Ransomware uses the same encryption method and drops the same message to the infected systems. Again, the only change in the note is that PC users are instructed to send an email to a new address. The threat locks access to images, audio, video, text, PDFs, eBooks and databases. Compromised devices remain operational, but your content can't be loaded by programs. For example, the video 'Mutant Year Zero.mp4' is renamed to 'Mutant Year Zero.mp4.[Admin@decryption.biz].bkpx' and can't be loaded by media players like VLC. The ransom note is reported to include the following text:

'All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Admin@decryption.biz
Write this ID in the title of your message 1E857D00
In case of no answer in 24 hours write us to these e-mails:bigbro1@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment, we will send you the decryption tool that will decrypt all your files.'

The threat actors may receive a list of the encrypted files, and they may use the information to demand thousands of dollars if they suspect you have valuable and unprotected data on your machine. We recommend avoiding negotiations with the people behind the 'admin@decryption.biz' Ransomware as you might be tricked. The removal of the 'admin@decryption.biz' Ransomware is possible with the help of a credible anti-malware instrument. Detection names for the 'admin@decryption.biz' Ransomware Trojan include:

BehavesLike.Win32.Generic.bc
HEUR:Backdoor.MSIL.Androm.gen
ML.Attribute.HighConfidence
Trojan ( 00542f0b1 )
Trojan.Generic.D26ECAC3
Trojan.GenericKD.40815299
Win32/Backdoor.9cf
Win32:MalwareX-gen [Trj]
malware (ai score=89)

Update December 14th, 2018 — 'skynet45@tutanota.com' Ransomware

The 'skynet45@tutanota.com' Ransomware is a variant of the Dharma 2017 Ransomware that was reported on December 14th, 2018 by computer security researchers. The 'skynet45@tutanota.com' Ransomware is not an upgrade of the existing harmful code. The 'skynet45@tutanota.com' Ransomware is a modified Dharma copy that is tailored to the needs of the distributor associated with the program. As we have mentioned in the article listed above, the Dharma project is operated like a business where you have developers maintaining the core program and backend servers. The Dharma platform is open to other threat actors who are experienced in malware distribution and are interested in making an easy profit. The 'skynet45@tutanota.com' Ransomware is produced with a Dharma Ransomware builder and pushed to users via spam emails, fake advertisements, cracked shareware and pirated games primarily.

The 'skynet45@tutanota.com' Ransomware variant is reported to encipher standard data types like audio, video, databases, presentations, simple text, spreadsheets, images, eBooks and PDFs. The 'skynet45@tutanota.com' Ransomware is observed to attach the '.combo' extension to rename the files. For example, 'Eichbaum Pilsener.docx' is renamed to 'Eichbaum Pilsener.docx.combo.' Two standard ransom notes titled 'FILES ENCRYPTED.txt' and 'skynet45@tutanota.com.hta' are delivered to the user's desktop, and both refer users to the 'skynet45@tutanota.com' and the 'skynet45@cock.li' email accounts for available decryption services. Affected PC users should use data backups, emails and file hosting services to rebuild their files and avoid making payments to the cybercriminals. You should be able to remove the 'skynet45@tutanota.com' Ransomware using an up-to-date security instrument.

SpyHunter Detects & Remove Dharma 2017 Ransomware