Dharma Ransomware Virus: The .wallet Extension

In late 2016, threat actors behind the CrySiS ransomware decided to give up their campaign for some reason. They made the master decryption keys public so that everybody infected could get their data back. It seemed at that point that the group of crooks gave up the nasty extortion business. However, this anticipation never materialized. The same felons launched another campaign shortly. The file-scrambling successor called Dharma (http://myspybot.com/wallet-file-virus/) started infecting Windows computers on a large scale.

While using the same perpetrating code, this pest manifests itself differently. Having locked down one’s important data entries, its latest edition appends the .wallet string to filenames. This suffix is preceded by the attackers’ email address in square brackets. For instance, a Word file called Test.docx will look like this: Test.docx.[webmafia@asia.com].wallet. The email address in this pattern will vary depending on the sub-campaign run by the cyber criminals. Some of the widespread ones include amagnus@india.com, stopper@india.com, and lavandos@dr.com.

The .wallet file virus reaches PCs via spam. The ne’er-do-wells in charge are leveraging a botnet to generate big volumes of rogue emails that impersonate Internet service providers, government organizations, e-commerce companies or business partners. The files attached to these messages contain a stealth VBS script that fires the ransomware payload as soon as the recipient opens the attachment.

After contaminating a system, Dharma scans the hard disk and network drive for popular data types. Then, it will encrypt everything that was detected. To unencrypt these files, a victim is told to follow instructions in Readme.txt document that the ransomware leaves on the desktop. In the long run, the infected user is supposed to shoot an email to the appropriate address and get detailed recovery steps in response. The size of the ransom is somewhere around 1 Bitcoin or about 1,000 USD.