DT Ransomware

Despite being around for quite a while, it appears that cybercriminals are still using the Dharma Ransomware as a basis for new threats. One such variant that has been detected by infosec researchers is the DT Ransomware. The DT Ransomware doesn't display any major improvements over the typical Dharma variant. However, its destructive capabilities shouldn't be underestimated. Each compromised system will be subjected to an encryption process that will lock almost all of the files stored there with an uncrackable cryptographic algorithm. Afterward, users will be unable to even access nearly all of their personal or work-related files. The goal of the hackers is to use the locked data as a hostage and then extort their victims for money.

The DT Ransomware follows the usual naming pattern observed in Dharma variants. The DT Ransomware will change the original names of the encrypted files drastically, by appending to them an ID string assigned to the specific victim, an email address under the control of the cybercriminals, and finally '.DT' as a new file extension. The email used in the file names is 'datos@onionmail.org.' Upon completing its encryption process, the malware will deliver two versions of its ransom note. One will be contained inside a text file named 'info.txt,' while the other will be displayed in a pop-up window.

DT Ransomware's Demands

The instructions delivered via the text file are extremely short. Victims are simply directed to use the two provided emails - datos@onionmail.org and datos@msgsafe.io, to establish contact with the hackers. The pop-up window reiterates the same communication channels. However, it also contains several warnings. According to the note, victims should not try to change the names of the locked files or try to decrypt them with third-party tools as that could lead to data loss. In addition, involving third-party recovery organizations result in increased monetary losses.

In general, ransomware victims should not follow the demands of the hackers. Contacting them could expose the users to additional security risks, which should be avoided. Instead, clean the infected computer and only after that, try to restore the locked files from a suitable backup.

The instructions delivered in DT Ransomware's text file are:

'all your data has been locked us
You want to return?
write email datos@onionmail.org or datos@msgsafe.io.'

The pop-up window displays the following information:

'YOUR FILES ARE ENCRYPTED

datos@onionmail.org

Don't worry, you can return all your files!
If you want to restore them, write to the mail: datos@onionmail.org YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:datos@msgsafe.io

ATTENTION!
We recommend you contact us directly to avoid overpaying agents

Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.'