Dharma ransomware (<id>-<id***8 random>.[<email>].dharma) Support Topic

Dharma (CrySiS) Ransomware initially started out under the name of CrySiS in the summer of 2016 as a Ransomware-as-a-Service (RaaS) operation. After someone leaked the CrySiS master decryption keys online in November 2016, the CrySiS RaaS relaunched under the name of Dharma two weeks later as explained in this news article. Since that time the malware developers have released a constant flow of new Dharma variants utilizing many differently named extensions. The FBI has ranked Dharma the second most lucrative ransomware operation in recent years.

Any files that are encrypted with Dharma (CrySiS) Ransomware will have an <id>-<id*** random 8 hex char>.[<email>] followed by one of its many different extensions appended to the end of the encrypted data filename as explained here by Amigo-A (Andrew Ivanov). These are a few examples.

.id-A04EBFC2.[bitcoin143@india.com].dharma
.id-30B3DDC1.[chivas@aolonline.top].arena
.id-EE6A4622.[veracrypt@foxmail.com].adobe
.id-504ADFDD.[admin@stex777.com].money

Dharma (CrySiS) extensions include .dharma, .wallet, .onion, .zzzzz, .cezar, .cesar, .arena, .cobra, .java, .write, .arrow, .bip, .combo, .cmb, .brrr, .gamma, .monro, .bkp, .btc, .bgtx, .boost, .waifu, .funny, .betta, .vanss, .like, .gdb, .xxxxx, .1BTCx, .lock, .adobe, .AUDIT, .cccmn, .tron, .back, .Bear, .fire, .myjob, .war, .risk, .bkpx, .santa, .bizer, .gif, .AUF, .heck, .capital, .USA, .xwx, .heets, .best, .qwex, .ETH, .air, .888, .amber, .frend, .KARLS, .aqva, .AYE, .korea, .NWA, .com, .amber, .azero, .bk666. .stun, .ms13, .carcn, .btix, .LOVE, .GATE, .LDPR, .FREDD, .txt, .video, .MERS, .bat .qbix, .wal, .aa1, .qbtex, .yG, .drweb, .jack, .DDOS, .PLUT, .cry, .4k, .TOR13, .good, .zoh, .beets, .BSC, .zoh, .kjh, .save, .Kick, .html, .harma, .cap, .hccapx, .xxxx, .php, .dqb, .1BTC, .com2, .Acuf2, .nqix, .Q1G, .pdf, .cmd, .group, .MGS, .RSA', .ebola, .money, .CASH, .KRAB, .oo7, .uta, .bot, .wiki, .PBD, .one, xda, .asus, .start, .VIRUS, .rsa (lowercase), .kr, .ninja, .SySS, .kharma, .2048, .ROGER, .bitx, .IMI, .asd, .RIDIK, .NEWS, .CU, .2NEW, .LIVE, .crown, .Z9, .ncov, .self, .qbix, .PAY, .NcOv, .PLEX, .YKUP, .N3, .rxx, .GTF, .MARK, .IPM, .LX, .C-VIR, .2020, .stop, .DOP, .dec, .love$, .0day0, .LOL, .PHP, .NET, .BANG, .payB, .space, .BOMBO, .ONE, .CYB, .FRM, .club, .wch, .hlpp, .dr, .pgp, .hack, .HCK, .r3f5s, .bad, .base, .team, .credo, .gyga, .NHLP, .bmtf, .prnds, .teamV, .null, .felix, .gns, .smpl, .data, .spare, .PPHL, .tcprx, .mnbzr, .1dec, .WEEK, .homer, .xati, .rec, .Aim, .gold, .blm, .eur, .LOG, .chuk, .AHP, .WSHLP, .fresh, .cve, .FLYU, .gtsc, .dme, .zxcv, .Crypt, .LCK, .bH4T, .Acuf2, .259, .zimba, .help, .sss, .SWP, .cvc, .ZIN, .SUKA, .yoAD, .lock, .msf, .mpr, .gac, .21btc, .NOV, .4help, .hub, .aol, .14x, .dis, .Avaad, .crypt, .22btc, .TomLe, .wcg, .con30, .text, .word, .LOTUS, .pauq, .four, .clman, .ORAL, .urs, .Jessy, .ROG, .biden, .eofyd, .duk, .LAO, .pirat, .liz, .bqd2, .4o4, .ctpl, .2122, .HPJ, .bdev, .eye, .root, .rxx, .back, .zphs, .gold, .error, .rdp, .cnc, .PARTY, .DT, .dance, .nmc, .ZEUS, .jpg, .TOR, .CLEAN, .c0v, .Deeep, .DC, .Xqxqx, .C1024, .ver, .RED, .bmo, .MTX, .Bl, .kl, .xgpr, .snwd, .ust29, .reL, .ME, .r3tr0, .info, .NMO, .Po, .just, .CRASH, .RPC, .jron, .like, .xCor, .mono, .Z0V, .GPT, .DOOK, .2023, .34678

 

Dharma (CrySiS) typically will leave files (ransom notes) with names like README.txt, README.jpg, Hello my vichtim.txt, Your personal data are encrypted!.txt, FILES ENCRYPTED.txt, Files encrypted!!.txt, info.hta.

 

Unfortunately, there is no known method to decrypt files encrypted by any of the newer Dharma (CrySiS) variants without paying the ransom and obtaining the private encryption keys from the criminals who created the ransomware unless they are leaked or seized & released by authorities. Without the criminal's master private key that can be used to decrypt your files, decryption is impossible. That usually means the key is unique (specific) for each victim and generated in a secure way that cannot be brute-forced...the public key alone that encrypted files is useless for decryption.
 
Only the earlier .dharma, .wallet, .onion and some .cesar, .bip variants of Dharma (CrySiS) before 2017 are decryptable (see here) after unknown individuals leaked the master decryption keys...and not because of an encryption flaw as explained in this news article: Source code of Dharma ransomware pops up for sale on hacking forums. The master decryption keys for .dharma and the master decryption keys for .wallet and .onion variants were released (most likely by one of the developers) in the same manner as the original CrySiS Ransomware keys were released which allowed Kaspersky, ESET, Trend Micro and Avast to create decryptor tools.
 
You can download and use Kaspersky's RakhniDecryptor if you were hit by .dharma extension.
You can download and use avast_decryptor_crysis if you were hit by .wallet extension.
You can download and use ESET CrysisDecryptor if you were hit by .dharma, .wallet, .onion variants.

You can download and use Trend Micro's Crysis Decryptor if you were hit by .xtbl, .crypt, .dharma, .wallet variants.

 

 

Additional Comments by Grinler (aka Lawrence Abrams), the site owner of Bleeping Computer:

 

This ransomware mostly comes via RDP, so please disable it or secure it with a strong password. Backups, multiple backups and testing them regularly are important.

I also wanted to inform everyone that there is a previous member who was banned because he was offering decryption services for Dharma ransomware for a fee, which from what I understand was more than the ransom amount.
 
As it is my job to make sure people are not pulling scams on our visitors, I asked him to stop offering these services unless he explained how he was decrypting the files and to prove that he was just not paying the ransom and then charging victims more.
 
He refused to provide any information, even under the conditions that I would not publicly disclose the methods, and was therefore told to stop private messaging people.
 
He continued doing so and was thus banned. Unfortunately, he continues to create new accounts and send people private messages about paid decryption services.
 
Due to this, if you receive messages from anyone stating that they can decrypt recent Dharma ransomware variant, please report the PM or post. This could very well be a scam.
 
Even if they provide a free decryotion or two, this could be nothing more than a deal they have with the ransomware developers, and should not be trusted unless they disclose how they are decrypting the files.
 
 
 
 
Hi there,
 
Our exchange server and 4 of our office PC's appear to be infected with a ransomware. However there are a number of other PC's that were connected to the network that aren't infected.
 
The ransomware only appears to affect the c:\users folder and below, encrypting the files and adding [bitcoin143@india.com].dharma to the end of each filename. From what I can see there doesn't appear to be a ransom note anywhere that we can spot.
 
No antivirus or malware checkers that we have tried seem to spot it. The problem we have is that the PCs are still infected and if you add new files to the user folders when you re-boot the PC they get infected. Other than that it doesn't seem to stop you using the PC.
 
I tried scanning the file on your website but it wasn't recognised. It gave me a reference SHA1: 1ad54bb7fd696316dece1eb4b536ba883657da02[/size]
 
Any help would be greatly appreciated.
 
Haleice

Edited by quietman7, 21 November 2023 - 08:26 AM.

Hi guys,

 

I got infected by a ransowmare early in the morning when no one is using the machines on the network. only servers are up.

 

Appended extension on encrypted files are .[worm01@india.com].dharma

 

I can't see any ransomware note as well.

I have some encrypted files if you want samples.

 

I checked it on id-ransowmare but not yet identified... Anyone of you have the same issue?

 

I suspect that our server was hacked...

 

Please help for any suggestions what to do.

 

Thanks in advance.

 

 

 

Case SHA1 from id-ransowmare: 35ecaeb30834a05cdc61f777781531b73585b7e5

Edited by alpotero, 16 November 2016 - 04:26 PM.

I've had only one other submission with that extension, and a different email address (".[bitcoin143@india.com].dharma"). They also did not upload a ransom note, and it was submitted a few hours before yours. This may be something new, not finding any info on it. I don't see a pattern in the hex.

 

If you can find any samples of the malware, that would be needed for analysis.

@Haleice

 

We've merged your post, I only noticed it on the other topic after replying to this one.

 

If the malware is still running on startup, you should be able to find it easily with AutoRuns. Check the owner of the files, that should help you verify what workstation and profile is infected.

 

If you find the malware, please submit it here: http://www.bleepingcomputer.com/submit-malware.php?channel=168

 

Also, if you have pairs of files before/after the encryption we can use for comparing, you may submit those as well.

Edited by Demonslay335, 16 November 2016 - 05:01 PM.

We believe this may be a variant of CrySiS based on some hex patterns at the footer of the files. CrySiS recently had keys released. Can you both try the decrypter released by Kaspersky? If it fails to try the files, try renaming a file to one of the known types for the decrypter.

 

http://www.bleepingcomputer.com/forums/t/607680/crysis-extensionid-numberemailxtblcrysis-ransomware-support-topic/

Edited by Demonslay335, 16 November 2016 - 05:07 PM.

Hi Demonslay335,

 

I'm not able to check the AutoRuns until tomorrow morning as I'm not able to access the PC/server remotely. I should be able to get the file pairs though.

 

Do you want them submitting to the link you posted above?

 

It'll be a couple of hours though before I can get them.

 

Thanks again.

Yes, if you could zip them all together that would help. This may be a new variant based on CrySiS with different keys than those released.

FYI.. I got infected by a different ransomware using .lock extension.

I'm not yet finished on restoring the files when the .dharma ransomware have infected.

I noticed that it also encryts the .lock files.

 

after the first ransomware infection. the file name is sample_file.xls.id-{8 char}.{funa@india.com}.lock

after teh 2nd ransomware infection the fine name is now sample_file.xls.id-{8 char}.{funa@india.com}.lock.[worm01@india.com].darma

 

I think it's also being a stampado.. encrypting encrypted files.

 

I'll look for the malicious auto-starting files and I'll send it once I found one.

If you were hit with this, please check whether you have RDP enabled and if so either disable or put a secure password on it. Can check event viewer logs to see if anyone has used RDP.

 

xXToffeeXx~

Just found a site with the same error. The file that ran the encrypt appears to name itself 'skanda.exe'. The files also show the extension ".[bitcoin143@india.com].dharma", much like Demonslay335 is seeing.

The Kaspersky decrypter tool does not work - throws an error of "unsupported file type" even if I change the extension.

 

The user that the application ran as has had a folder created called "opFirlma", which had a 'plink.exe' application in it. I assume that's how they did the rewrite.

Unlike Demonslay335, this one does have a ransom note. It is a README.txt file that was in the startup folder of a the user that was used to run the exploit, and I cannot yet see why this user got it.

The file states simply:

ATTENTION!
At the moment, your system is not protected.
We can fix it and restore files.
To restore the system write to this address:
bitcoin143@india.com

I found a malicious worm.exe on Desktop of terminal server user and my AV did detect it...

it resides on terminal server... i noticed that it resides on one terminal server account profile and that profiles files are encrypted with .[worm01@india.com].dharma
 

Once we are up and good to go. I'll try to extract it from quarantine of AV and will give a copy to you guys.

 

Regards,

I have uploaded a zip file containing 4 files, 2 encrypted and 2 re-downloaded from my email.

 

I tried the RakhniDecrypter.EXE and renamed a file to fit the format so it could scan it, but it couldn't recover the password.

 

if it is a variant of CrySiS, is it likely that it will be cracked in the near future, or should I just cut my losses and rebuild the server and PCs?

@Berserkir-Wolf

Do you have a sample of the malware? Could you share it to the link I provided?

@Haleice

We don't really know at this point. Keys were released by who we assume was the developer of CrySiS, but we don't know how spread the variants were and if it was modified or anything. I would assume it is a loss at this point until further information is found. If you have backups (which everyone should), you should restore from them. It's always worth a shot running ShadowExplorer and Recuva, some victims of ransomware get lucky.

@Berserkir-Wolf

 

Thanks, we received the sample and confirmed it is the encrypter. We're taking a look at it to see whether it is a variant off of CrySiS or something new.

...if it is a variant of CrySiS, is it likely that it will be cracked in the near future, or should I just cut my losses and rebuild the server and PCs?

Regardless of what ransomware it is, you should create a copy or image of the entire hard drive. Doing that allows you to save the complete state of your system (and all encrypted data) in the event that a free decryption solution is developed. In some cases, there may be decryption tools available but there is no guarantee they will work properly since the malware writers keep releasing new variants in order to defeat the efforts of security researchers.

Imaging the drive backs up everything related to the infection including encrypted files, ransom notes and registry entries containing possible information which may be needed if a solution is ever discovered. The encrypted files do not contain malicious code so they are safe. Even if a decryption tool is available, they do not always work correctly so keeping a backup of the original encrypted files and related information is a good practice.