Home Ransomware Dharma Ransomware Alert – Everything you should know

Dharma Ransomware Alert – Everything you should know


Lately, a new Ransomware has emerged named “Dharma virus”. The malware analysts are not sure about this cyber infection being an original creation or a new version of some large virus family. Dharma has found to resemble with CrySiS Ransomware, however, the Dharma-CrySiS relationship has not yet confirmed.

This piece of virus seems more different than others in general as it does not drop a ransom note which may give information about the virus origin etc. Also, antivirus does not seem to detect it either making its removal complicated. It has come up with yet another “.wallet” extension. The Dharma virus encrypts the files on the computer which it infects by likely using the AES (Advanced Encryption Algorithm). It also leaves behind a ransom note in a .txt and .jpg files that demands from the victim to pay a hefty “fee” to get the files back. It encrypts user files and leaves as contact e-mail addresses to contact the criminals behind it and pay the ransom fee.

It Changes file extension of encrypted files to .wallet and also Changes wallpaper to one of the ransom  notes that have the backup ransom e-mail – amagnus@india.com. In order to cause successful infection the Dharma’s .wallet variant may utilize a mixture of tools to obfuscate the malware. It may use exploit kits, infection URL’s, malicious javascript, spamming services etc.

The combination of those tools may spread the Ransomware on social media websites, spam messages on emails, fake files uploads etc. Dharma ransomware distributors think of various deceptive ways to sneak these fraudulent applications on the victims’ computers. The most common of them all is delivery by email. The scammers use malicious spam campaigns to spread those emails with attached malware around and sadly the users often fall for their tricks.

After being infected, it starts performing several functions like creating multiple objects in windows registry editor. Those objects may take Ransomware virus run automatically on windows startup and also furthermore executes those files every time windows boots up. When it comes to files, it may create multiple files in the %Temp% and %AppData% folders.

It may also drop some ransom note named as Readme.txt, or Readme.jpg like below:

This variant of Ransomware takes the similar approach like CrySiS XTBL when it comes to the structure of the files after encryption. They again contain the e-mail address requested for contact but they also have the unique for Dharma .wallet extension. Files encrypted by Dharma may look like the following:

dharma pdf

After Dharma has already encrypted the files, they can no longer be opened. Their code is altered using a unique encryption algorithm.


Ransomware like Dharma has once proven that it can be fixed and patched to become more difficult to decrypt and for this to happen the cyber-criminals most likely have invested a lot. The exploiters have made huge profits simply by releasing multiple variants of the malware. This resulted in a lot of people to pay the ransom and get their files decrypted, instead of getting it for free. It is also said that a modified version of Shade- Dharma is created which is currently non-decryptable. We advise to remove the virus and decrypt the .wallet files early as possible because if you continue using it with a ransomware running, every time you reboot the system will result in new encrypted files.