Dharma 2017 Ransomware
Posted: August 17, 2017
Threat Metric
The following fields listed on the Threat Meter containing a specific value, are explained in detail below:
Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.
Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.
Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.
Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.
% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.
| Ranking: | 19,937 |
|---|---|
| Threat Level: | 10/10 |
| Infected PCs: | 61,656 |
| First Seen: | November 17, 2016 |
|---|---|
| Last Seen: | February 10, 2025 |
| OS(es) Affected: | Windows |
The Dharma 2017 Ransomware is an updated version of the Dharma Ransomware, which is, in turn, a derivative of the Crysis Ransomware. These Trojans encrypt your files to block them so that you're forced to pay a ransom to use their decryption software, and include symptoms such as text-based ransoming notes and changes to the names and extensions of your media. Backups and freeware decryptors can assist with recovering any blocked media, and anti-malware software always should be used for removing the Dharma 2017 Ransomware safely.
Your Monthly, Multinational Dharma Ransomware Update
New versions of the Dharma Ransomware branch of the Crysis Ransomware's family are continuing to be active threats trying to encrypt files for quick money throughout the world. One of the latest spikes in activity among this sub-family, the Dharma 2017 Ransomware, is using the '.cesar' extension for its brand identity. Like similar attacks, a Dharma 2017 Ransomware infection places all local media on the PC at risk of being corrupted by its cipher permanently.
The Dharma 2017 Ransomware is circulating through a global campaign targeting multiple countries and continents, as has been the case with past versions of the Dharma Ransomware. It uses an encryption algorithm to encode content such as documents, pictures, and other media and shows no visible symptoms while scanning for files to lock. The Dharma 2017 Ransomware adds a new extension to everything it locks ('.cesar') and also may insert an e-mail address for contacting its admin. These attacks may affect network-mapped drives, as well as local ones.
Malware experts aren't able to confirm any notable changes in the ransom note-related components of the Dharma 2017 Ransomware, which uses Bitcoin-based payments. Since this cryptocurrency requires consent from both sides of the transaction for refunding, any victims who take this method of file recovery also are accepting the risk of paying without getting the decryptor.
Updating Your Security Solutions against Updated Trojans
The Dharma 2017 Ransomware may be circulating through brute-force attacks that crack network logins, which is a tactic of this family verified previously. Malware experts see frequent reports of attacks in Europe especially, although the Dharma 2017 Ransomware infection attempts also are traceable throughout North America, the Middle East and India. Using passwords confirming to basic security standards (multiple cases, combinations of numbers and letters, etc.) can reduce, if not remove completely, the risk of a remote attack brute-forcing their way into a network.
For recovering any blocked content, malware experts always endorse having backups to alleviate any requirement for decrypting a file-blocking Trojan's cipher. However, if they're unavailable, the Dharma 2017 Ransomware does belong to a family of threats with compatible, freeware decryptors, such as the RakhniDecryptor. Copy files before testing them with third-party decoding tools and contact appropriate anti-malware researchers, if necessary, for any in-depth assistance.
Although remote attackers dropping the Dharma 2017 Ransomware during a manual attack could disable any security software, such products can protect your media from other infection methods, such as spam e-mail attachments. Always use anti-malware programs for removing the Dharma 2017 Ransomware and determining the potential presence of other threatening software, such as backdoor Trojans, that a threat actor might install along with it.
As long as companies' and individuals' best security practices stagnate, con artists see little need to update their strategies for compromising PCs. The characters in your password may be inconvenient to remember, but also could be the best defense between your files and the Dharma 2017 Ransomware's encryption.
Update November 28th, 2018 — 'cyberwars@qq.com' Ransomware
A brand-new variant of the Dharma ransomware has been spotted in the wild. Malware researchers isolated a sample of the new Dharma offshoot and are calling it the 'cyberwars@qq.com' Ransomware", as per the encrypted filenames. The new version of Dharma dumps a concise ransom note on the victim’s hard drive and calls it FILES ENCRYPTED.txt. The ransom text is as follows:
"all your data has been locked us
You want to return?
write email cyberwars at qq.com"
The encrypted files appear to receive some new extensions, including a randomly generated numeric ID, cyberwars at qq.com in angle brackets and .war, appended right at the end. There is very little information about any other meaningful differences between this new variant and the older versions of the Dharma ransomware at this point.
Update November 30th, 2018 — 'parambingobam@cock.li' Ransomware
The Dharma Ransomware’s recent popularity does not appear to be dying down, and malware researchers keep on stumbling upon new Dharma Ransomware variants that use the same encryption algorithm. The latest member of the Dharma family has been dubbed ‘parambingobam@cock.li' Ransomware; This file-locker always uses the ‘.adobe’ extension to mark the locked files, but security researchers have identified several samples, which appear to use different email addresses for contact - parambingobam@cock.li, bufytufylala@tuta.io, and mercarinotitia@qq.com. Regardless of the e-mail address used, the files locked by the ransomware will always have the following extension applied to their names– .id-
The operators of the ‘parambingobam@cock.li' Ransomware may rely on spam emails to propagate their harmful application, but they also might opt to explore other malware propagation channels like pirated software and media, or fake downloads published on various torrent trackers or other peer-to-peer sharing platforms. If a victim ends up downloading and launching the ‘parambingobam@cock.li' Ransomware, they might not see the consequences of this file-locker destructive behavior immediately. This is because the ‘parambingobam@cock.li' Ransomware usually works in the background before it reveals its presence by providing the victim with a ransom note. After the ‘parambingobam@cock.li' Ransomware has been launched, it may need just a few minutes to complete its attack and leave the victim with a massive collection of encrypted documents, photos, videos, songs, archives, database and other files.
When the ‘parambingobam@cock.li' Ransomware’s attack is complete, the file-encryption Trojan will always drop the file ‘FILES ENCRYPTED.txt’ that is meant to provide the victim with data recovery instructions. Unfortunately, the solution offered by the authors of the ‘parambingobam@cock.li' Ransomware is not one you can use – they might demand a significant amount of money in exchange for their decryption service, and we assure you that sending money to anonymous cybercriminals is a thing you should not even consider doing.
Unfortunately, the ‘parambingobam@cock.li' Ransomware is not a decryptable file-locker, and its victims will not be capable of relying on a free decryptor to save their files. Instead, their best option would be to eliminate the ‘parambingobam@cock.li' Ransomware with the help of an updated anti-virus program, and then try out various 3rd-party data recovery utilities.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to Dharma 2017 Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
* See Free Trial offer below. EULA and Privacy/Cookie Policy.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.
Technical Details
File System Modifications
Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.
The following files were created in the system:%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Information.hta
File name: Information.htaSize: 13.63 KB (13639 bytes)
MD5: 16ccedd463222fbfa8b7e2678d892a7c
Detection count: 119
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: February 24, 2017
%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup\Inf.hta
File name: Inf.htaSize: 13.64 KB (13641 bytes)
MD5: 1bf867566ccfc201dcf9688a9a21d80b
Detection count: 108
Mime Type: unknown/hta
Path: %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: February 24, 2017
%WINDIR%\System32\inter2811_bandugan_1.exe
File name: inter2811_bandugan_1.exeSize: 332.8 KB (332800 bytes)
MD5: 703c42e5456731444cf68cc27fdfbe96
Detection count: 56
File type: Executable File
Mime Type: unknown/exe
Path: %WINDIR%\System32
Group: Malware file
Last Updated: December 2, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
File name: explorer.exeSize: 224.3 KB (224308 bytes)
MD5: 674bfb3719ce1b9d30dd906c20251090
Detection count: 47
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: February 24, 2017
%APPDATA%\setap28.exe
File name: setap28.exeSize: 310.58 KB (310581 bytes)
MD5: 1e1bf7697917466739cb5d8c9b31f7d3
Detection count: 44
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: December 7, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload(1)_c.exe
File name: Payload(1)_c.exeSize: 214.32 KB (214322 bytes)
MD5: 7fb036338464c8dcf226c8b269227b65
Detection count: 40
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 7, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload2.exe
File name: Payload2.exeSize: 338.19 KB (338197 bytes)
MD5: a9f94a2a8501bf15d8ac1eef95cce3e4
Detection count: 37
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 7, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload0.exe
File name: Payload0.exeSize: 324.4 KB (324400 bytes)
MD5: 17bf92deca1953c6ebf2aafb5bf8ebf1
Detection count: 35
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 7, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta
File name: Info.htaSize: 13.93 KB (13931 bytes)
MD5: 6dddb8c4f20b570a0200beca9bb1f7f2
Detection count: 28
Mime Type: unknown/hta
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: April 15, 2017
payload.exe
File name: payload.exeSize: 386.04 KB (386048 bytes)
MD5: d1487253cee49b68aebae1481e34f8fd
Detection count: 26
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%SystemDrive%\Users\<username>\AppData\Roaming\Payload31.exe
File name: Payload31.exeSize: 326.51 KB (326513 bytes)
MD5: db2a372dfcaa0dbba4aaff2eaeb5e516
Detection count: 21
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: December 7, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload30.exe
File name: Payload30.exeSize: 343.3 KB (343308 bytes)
MD5: f6fafa7b9508f9f03ed6c8e4f43f3bb4
Detection count: 19
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 7, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload12.exe
File name: Payload12.exeSize: 343.85 KB (343856 bytes)
MD5: d8f6ff36e853b4ea86b7d8b771ea2a89
Detection count: 19
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 7, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\payload_CHKS26_c.exe
File name: payload_CHKS26_c.exeSize: 378.19 KB (378193 bytes)
MD5: 52d740c82f8d0437cf877d688c7a91a7
Detection count: 19
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: December 7, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payloadn_c.exe
File name: Payloadn_c.exeSize: 344.06 KB (344064 bytes)
MD5: 8d88bb7595cc40e311740c9487684020
Detection count: 16
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 7, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Payload03.exe
File name: Payload03.exeSize: 337.71 KB (337711 bytes)
MD5: cdc19024a2e99c62987dc2c29b7c4322
Detection count: 16
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 7, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\setap_c.exe
File name: setap_c.exeSize: 506.2 KB (506209 bytes)
MD5: 72ec9b3d1079d3236481a626295a9bb6
Detection count: 15
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: December 7, 2016
%SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\setap00.exe
File name: setap00.exeSize: 235.86 KB (235860 bytes)
MD5: 5c2fda3a416193055cc02a6cc6876ca7
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Group: Malware file
Last Updated: December 7, 2016
%SYSTEMDRIVE%\Users\<username>\desktop\1801.exe
File name: 1801.exeSize: 399.87 KB (399872 bytes)
MD5: 44d550f8ac8711121fe76400727176df
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\desktop
Group: Malware file
Last Updated: February 11, 2019
More files
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.