Home Malware Programs Ransomware Dharma 2017 Ransomware

Dharma 2017 Ransomware

Posted: August 17, 2017

Threat Metric

Ranking: 5,734
Threat Level: 10/10
Infected PCs: 61,553
First Seen: November 17, 2016
Last Seen: October 16, 2023
OS(es) Affected: Windows

The Dharma 2017 Ransomware is an updated version of the Dharma Ransomware, which is, in turn, a derivative of the Crysis Ransomware. These Trojans encrypt your files to block them so that you're forced to pay a ransom to use their decryption software, and include symptoms such as text-based ransoming notes and changes to the names and extensions of your media. Backups and freeware decryptors can assist with recovering any blocked media, and anti-malware software always should be used for removing the Dharma 2017 Ransomware safely.

Your Monthly, Multinational Dharma Ransomware Update

New versions of the Dharma Ransomware branch of the Crysis Ransomware's family are continuing to be active threats trying to encrypt files for quick money throughout the world. One of the latest spikes in activity among this sub-family, the Dharma 2017 Ransomware, is using the '.cesar' extension for its brand identity. Like similar attacks, a Dharma 2017 Ransomware infection places all local media on the PC at risk of being corrupted by its cipher permanently.

The Dharma 2017 Ransomware is circulating through a global campaign targeting multiple countries and continents, as has been the case with past versions of the Dharma Ransomware. It uses an encryption algorithm to encode content such as documents, pictures, and other media and shows no visible symptoms while scanning for files to lock. The Dharma 2017 Ransomware adds a new extension to everything it locks ('.cesar') and also may insert an e-mail address for contacting its admin. These attacks may affect network-mapped drives, as well as local ones.

Malware experts aren't able to confirm any notable changes in the ransom note-related components of the Dharma 2017 Ransomware, which uses Bitcoin-based payments. Since this cryptocurrency requires consent from both sides of the transaction for refunding, any victims who take this method of file recovery also are accepting the risk of paying without getting the decryptor.

Updating Your Security Solutions against Updated Trojans

The Dharma 2017 Ransomware may be circulating through brute-force attacks that crack network logins, which is a tactic of this family verified previously. Malware experts see frequent reports of attacks in Europe especially, although the Dharma 2017 Ransomware infection attempts also are traceable throughout North America, the Middle East and India. Using passwords confirming to basic security standards (multiple cases, combinations of numbers and letters, etc.) can reduce, if not remove completely, the risk of a remote attack brute-forcing their way into a network.

For recovering any blocked content, malware experts always endorse having backups to alleviate any requirement for decrypting a file-blocking Trojan's cipher. However, if they're unavailable, the Dharma 2017 Ransomware does belong to a family of threats with compatible, freeware decryptors, such as the RakhniDecryptor. Copy files before testing them with third-party decoding tools and contact appropriate anti-malware researchers, if necessary, for any in-depth assistance.

Although remote attackers dropping the Dharma 2017 Ransomware during a manual attack could disable any security software, such products can protect your media from other infection methods, such as spam e-mail attachments. Always use anti-malware programs for removing the Dharma 2017 Ransomware and determining the potential presence of other threatening software, such as backdoor Trojans, that a threat actor might install along with it.

As long as companies' and individuals' best security practices stagnate, con artists see little need to update their strategies for compromising PCs. The characters in your password may be inconvenient to remember, but also could be the best defense between your files and the Dharma 2017 Ransomware's encryption.

Update November 28th, 2018 — 'cyberwars@qq.com' Ransomware

A brand-new variant of the Dharma ransomware has been spotted in the wild. Malware researchers isolated a sample of the new Dharma offshoot and are calling it the 'cyberwars@qq.com' Ransomware", as per the encrypted filenames. The new version of Dharma dumps a concise ransom note on the victim’s hard drive and calls it FILES ENCRYPTED.txt. The ransom text is as follows:

"all your data has been locked us
You want to return?
write email cyberwars at qq.com"

The encrypted files appear to receive some new extensions, including a randomly generated numeric ID, cyberwars at qq.com in angle brackets and .war, appended right at the end. There is very little information about any other meaningful differences between this new variant and the older versions of the Dharma ransomware at this point.

Update November 30th, 2018 — 'parambingobam@cock.li' Ransomware

The Dharma Ransomware’s recent popularity does not appear to be dying down, and malware researchers keep on stumbling upon new Dharma Ransomware variants that use the same encryption algorithm. The latest member of the Dharma family has been dubbed ‘parambingobam@cock.li' Ransomware; This file-locker always uses the ‘.adobe’ extension to mark the locked files, but security researchers have identified several samples, which appear to use different email addresses for contact - parambingobam@cock.li, bufytufylala@tuta.io, and mercarinotitia@qq.com. Regardless of the e-mail address used, the files locked by the ransomware will always have the following extension applied to their names– .id-.[EMAIL].adobe.’

The operators of the ‘parambingobam@cock.li' Ransomware may rely on spam emails to propagate their harmful application, but they also might opt to explore other malware propagation channels like pirated software and media, or fake downloads published on various torrent trackers or other peer-to-peer sharing platforms. If a victim ends up downloading and launching the ‘parambingobam@cock.li' Ransomware, they might not see the consequences of this file-locker destructive behavior immediately. This is because the ‘parambingobam@cock.li' Ransomware usually works in the background before it reveals its presence by providing the victim with a ransom note. After the ‘parambingobam@cock.li' Ransomware has been launched, it may need just a few minutes to complete its attack and leave the victim with a massive collection of encrypted documents, photos, videos, songs, archives, database and other files.

When the ‘parambingobam@cock.li' Ransomware’s attack is complete, the file-encryption Trojan will always drop the file ‘FILES ENCRYPTED.txt’ that is meant to provide the victim with data recovery instructions. Unfortunately, the solution offered by the authors of the ‘parambingobam@cock.li' Ransomware is not one you can use – they might demand a significant amount of money in exchange for their decryption service, and we assure you that sending money to anonymous cybercriminals is a thing you should not even consider doing.

Unfortunately, the ‘parambingobam@cock.li' Ransomware is not a decryptable file-locker, and its victims will not be capable of relying on a free decryptor to save their files. Instead, their best option would be to eliminate the ‘parambingobam@cock.li' Ransomware with the help of an updated anti-virus program, and then try out various 3rd-party data recovery utilities.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta File name: Info.hta
Size: 13.78 KB (13787 bytes)
MD5: ce5451a17a72300ed0f75e3d8de29708
Detection count: 84
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 15, 2017
file.exe File name: file.exe
Size: 341.57 KB (341575 bytes)
MD5: b84e41893fa55503a84688b36556db05
Detection count: 82
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%SystemDrive%\Users\<username>\AppData\Roaming\Info.hta File name: Info.hta
Size: 13.79 KB (13795 bytes)
MD5: bdc3fca6533c4b1bccc953e7b02137d4
Detection count: 77
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: April 15, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Info.hta File name: Info.hta
Size: 13.92 KB (13927 bytes)
MD5: 53e186e8ec9c89845580515b57f42645
Detection count: 73
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: April 15, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta File name: Info.hta
Size: 13.78 KB (13789 bytes)
MD5: 0d4f31aed025f9bb79b93cc87160438e
Detection count: 73
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 15, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Info.hta File name: Info.hta
Size: 13.92 KB (13927 bytes)
MD5: 052913d7a6a09437d38d00d747887966
Detection count: 63
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: April 15, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta File name: Info.hta
Size: 13.92 KB (13925 bytes)
MD5: 82677bdaa1ffd8b2711deaf20e901e12
Detection count: 44
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 15, 2017
%APPDATA%\Info.hta File name: Info.hta
Size: 13.79 KB (13797 bytes)
MD5: 8a220990e2b0777f21bd4f67e7579196
Detection count: 40
Mime Type: unknown/hta
Path: %APPDATA%
Group: Malware file
Last Updated: April 15, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta File name: Info.hta
Size: 13.91 KB (13913 bytes)
MD5: 940ce88a73a6a09056ef8485adf9a251
Detection count: 40
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 15, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta File name: Info.hta
Size: 13.92 KB (13925 bytes)
MD5: 9b8ff0f3c4a29d9f7e469df6ed26e876
Detection count: 37
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 15, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta File name: Info.hta
Size: 13.92 KB (13925 bytes)
MD5: afe42573db1509a8af29d322ac68a212
Detection count: 35
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 15, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta File name: Info.hta
Size: 13.79 KB (13791 bytes)
MD5: 46c2099abfb5bf6232a4cebd4c6315aa
Detection count: 35
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 15, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta File name: Info.hta
Size: 13.79 KB (13797 bytes)
MD5: 34cab96384ec9ced3bf3622ad28c3a64
Detection count: 35
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 15, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Info.hta File name: Info.hta
Size: 13.79 KB (13797 bytes)
MD5: 92e58f01a7f258403672f6e9409bf9ba
Detection count: 35
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: April 15, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta File name: Info.hta
Size: 13.92 KB (13927 bytes)
MD5: 1b8e9834e05471e504f75eae50ade90d
Detection count: 30
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 15, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Info.hta File name: Info.hta
Size: 13.92 KB (13927 bytes)
MD5: 0c9c7d1ecf357c70af0836064885faea
Detection count: 28
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: April 15, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Info.hta File name: Info.hta
Size: 13.79 KB (13791 bytes)
MD5: 0b707f178039ee3e199c9b46c0f25467
Detection count: 28
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: April 15, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Info.hta File name: Info.hta
Size: 13.91 KB (13919 bytes)
MD5: 65f5f994d7f36f7ed60eb4e812300f05
Detection count: 28
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: April 15, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta File name: Info.hta
Size: 13.93 KB (13931 bytes)
MD5: 6dddb8c4f20b570a0200beca9bb1f7f2
Detection count: 28
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 15, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\Info.hta File name: Info.hta
Size: 13.92 KB (13922 bytes)
MD5: 7ee01de4ec71ba5f66d959faca1af8fa
Detection count: 26
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: April 15, 2017
payload.exe File name: payload.exe
Size: 386.04 KB (386048 bytes)
MD5: d1487253cee49b68aebae1481e34f8fd
Detection count: 26
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%SYSTEMDRIVE%\Users\<username>\desktop\1801.exe File name: 1801.exe
Size: 399.87 KB (399872 bytes)
MD5: 44d550f8ac8711121fe76400727176df
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\desktop
Group: Malware file
Last Updated: February 11, 2019
file.exe File name: file.exe
Size: 1.58 MB (1583616 bytes)
MD5: 0bac30f9c6da0ca96dc28d658ec2ecf4
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: January 25, 2020

More files
Loading...