Dharma-BOOT Ransomware Description
The Dharma-BOOT Ransomware is a new variant from the Dharma malware family, that has been detected in the wild. Ransomware threats are designs to target the data of their victims and lock it with strong encryption algorithms specifically. The affected files are rendered unusable and, in most cases, can only be restored by having the specific decryption key and software tool possessed by the attackers.
Whenever the Dharma-BOOT Ransomware locks a file, it also modifies that file's original name. The threat first appends an ID string that has been assigned to the victim. Then, it adds the 'email@example.com.' Finally, '.BOOT' is placed as a new file extension. Following the typical Dharma behavior, Dharma-BOOT also creates two different ransom notes on the compromised systems. A brief ransom-demanding message can be found inside a text file named 'FILES ENCRYPTED.txt,' while the full ransom note will be displayed in a pop-up window.
Dharma-BOOT Ransomware's Demands
The instructions delivered via the text file simply tell victims to contact the 'firstname.lastname@example.org' email address, which is in the names of the encrypted files. The pop-up window reiterates the same message largely but also includes a section of various warnings. Affected users are told to not rename any of the locked files or try to decrypt them with third-party tools, as that could damage the data and make it unsalvageable.
The pop-up window displays the following message:
'YOUR FILES ARE ENCRYPTED
Don't worry,you can return all your files!
If you want to restore them, follow this link:email email@example.com YOUR ID 1E857D00
If you have not been answered via the link within 12 hours, write to us by e-mail:firstname.lastname@example.org
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'
The message in the text file is:
'all your data has been locked us
You want to return?
write email email@example.com.'