Dharma Ransomware Virus: The .wallet Extension

March 5, 2017 | Views: 4457

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

In late 2016, threat actors behind the CrySiS ransomware decided to give up their campaign for some reason. They made the master decryption keys public so that everybody infected could get their data back. It seemed at that point that the group of crooks gave up the nasty extortion business. However, this anticipation never materialized. The same felons launched another campaign shortly. The file-scrambling successor called Dharma (http://myspybot.com/wallet-file-virus/) started infecting Windows computers on a large scale.

While using the same perpetrating code, this pest manifests itself differently. Having locked down one’s important data entries, its latest edition appends the .wallet string to filenames. This suffix is preceded by the attackers’ email address in square brackets. For instance, a Word file called Test.docx will look like this: Test.docx.[webmafia@asia.com].wallet. The email address in this pattern will vary depending on the sub-campaign run by the cyber criminals. Some of the widespread ones include amagnus@india.com, stopper@india.com, and lavandos@dr.com.

The .wallet file virus reaches PCs via spam. The ne’er-do-wells in charge are leveraging a botnet to generate big volumes of rogue emails that impersonate Internet service providers, government organizations, e-commerce companies or business partners. The files attached to these messages contain a stealth VBS script that fires the ransomware payload as soon as the recipient opens the attachment.

After contaminating a system, Dharma scans the hard disk and network drive for popular data types. Then, it will encrypt everything that was detected. To unencrypt these files, a victim is told to follow instructions in Readme.txt document that the ransomware leaves on the desktop. In the long run, the infected user is supposed to shoot an email to the appropriate address and get detailed recovery steps in response. The size of the ransom is somewhere around 1 Bitcoin or about 1,000 USD.

In order to prevent files from being encoded and appended with the .wallet extension, users should use reliable security software and never click on fishy-looking email attachments. Forensic methods of information recovery may help in these predicaments, but their efficiency depends on how deeply the virus has affected a workstation. 

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Hi how to create a piracy virus facebook account

  2. Interesting article. +10

  3. Simple to follow the instructions

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?