Home Ransomware Crysis/Dharma Ransomware new variant indentified

Crysis/Dharma Ransomware new variant indentified


Recently a new variant of Crysis/Dharma Ransomware has been identified based on its ID it is confirmed that it’s a new Crysis Variant. This new version is said to append the .cobra extension to encrypted files. It is not known exactly how this variant is being distributed, but in the past Crysis ransomware was spread by hacking into Remote Desktop Services and manually installing the ransomware.

Ransomware infection: When this Dharma ransomware variant is installed, it will scan a computer for data files and encrypt them. When encrypting a file it will append an extension in the format of .id-[id].[email].cobra.

It should be noted that this ransomware will encrypt both mapped and unmapped network shares. It is important to be sure that the network’s shares are locked down. So that only those who actually need access have permission to that shared network. When this Crysis variant encrypts a computer, it will also delete all of the shadow volume copies on the machine, so as they cannot be used to recover the unencrypted files. It deletes them by running the vssadmin delete shadows /all /quiet command.

This variant of Crysis ransomware will also create two different ransom notes on the infected the computer. When a user logs into the computer, the info.hta file is launched by an autorun.

The other note is called Files encrypted!!.txt and can be found on the desktop. Both of these ransom notes have instructions to make payments and whom should be contacted.

Finally, the ransomware configures itself to start automatically when you login to Windows. This allows it to encrypt new files that are created since it was last executed. Unfortunately, at this time it is not possible to decrypt .cobra files encrypted by the Crysis Ransomware for free. The only way to recover encrypted files is via a backup, or through Shadow Volume Copies. Though Crysis does attempt to remove Shadow Volume Copies, in rare cases ransomware infections fail to do so.


  • If you are using Remote Desktop Services, do not connect it directly to the Internet. Instead make it accessible only via a VPN.
  • Always have a Backup.
  • Do not open attachments if you do not know who sent them.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Use hard passwords and never reuse the same password at multiple sites.