Security Alert: New Dharma Ransomware Strains Alarmingly Go Undetected By Antivirus Engines

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Dharma ransomware is one of the oldest ransomware families in existence and yet it still wreaks havoc, undetected by security solutions. 

October and November saw the appearance of at least four new strains.

We discovered one that goes undetected by almost all the antivirus engines on the market. 

If this trend continues, users who rely on antivirus alone for ransomware protection will be at risk of losing their data forever – there is no free decryption tool for the new Dharma (CrySiS) ransomware strains. 

This month, security researcher Jakub Kroustek found a few new Dharma ransomware strains which encrypted the victim’s files with a “.betta” or “.xxxxx” extension. They asked for the ransom to be paid to either the “” or the “” email address.  

Even though Jakub Kroustek posted his findings about the @foxmail ransom on October 19, at the time of us writing about the strain we uncovered (November 7), only 44 out of 67 antivirus engines detect the malicious file he uncovered, as you can see on VirusTotal.   

Now, in our research, we found another new type of Dharma ransomware, which goes undetected by almost all security solutions. 

new dharma ransomware strain encryption message backtonormal foxmail

Needless to say, this poses a huge risk to both home users and organizations without proper security layers and awareness. 

And yes, it’s the same cybercriminal or group of criminals associated with the email address.  

How bad is it? 

Only a single antivirus engine picks it up, out of 67 listed.

Even though some details associated with it have been flagged by researchers as malicious for almost 2 years now, because of the nature of the Dharma ransomware, detection levels are critically low.

new dharma ransomware strain jotti detection virustotal

Even when using the Jotti malware scan tool, only 1 out of 15 malware scanners pick up this dangerous ransomware strain.  

Our own investigation began with a malicious exe dropped through a .NET file and another associated HTA file, which, once unpacked, directs the victim to pay a Bitcoin ransom to the email address. 

We double-checked the HTA file using ID-ransomware, a tool that assesses the ransom note, and the result came back as belonging to the Dharma (.cezar ransomware family).

new dharma ransomware detection

Security researcher Michael Gillespie warned it intensifying back in 2017. Now, he also found a Dharma Ransomware strain that uses a .NET dropper to spread. Once it hits an unprotected device, it will encrypt all files with a “.tron” extension, demanding payment to be made at the or email addresses.  

He submitted the findings to VirusTotal on November 6, and, at the time of writing this security alert, only 28 out of 66 antivirus engines are capable of detecting this malicious file.  

What happened? 

new dharma ransomware strain jotti detection

As we outlined above, as of now, November 7, only 1 out of 67 Antivirus engines can detect this type of Dharma ransomware. For others’ findings, Antivirus detection is still woefully lagging behind, because of the nature of the infection.  

How the infection happens: 

From our investigation so far, the infection vector for this particular Dharma ransomware has been the Windows RPD (Remote Desktop Protocol). The malicious executable does not exploit vulnerabilities but uses Trojan-like behavior. 

Malicious actors will use tools like remote port scanners to scan enterprise computers, hunting for RDP-enabled endpoints that employees commonly use to log-in from home. Then, once they find an RDP-enabled endpoint, the criminals will try to log by guessing the admin name and brute-force attacking the password. Once that happens, the criminals will copy and execute the ransomware strain. Because they usually have admin rights, the criminals can even turn off those protections put in place, so strong passwords are essential.  

Dharma ransomware strains associated with the ransom payment address will encode data formats including but not limited to: 

.odc, .odm, .odp, .ods, .odt, .docm, .docx, .doc, .odb, .mp4, .sql, .7z, .m4a, .rar, .wma, .gdb, .tax, .pkpass, .bc6, .bc7, .avi, .wmv, .csv, .d3dbsp, .zip, .sie, .sum, .ibank, .t13, .t12, .qdf, .bkp, .qic, .bkf, .sidn, .sidd, .mddata, .itl, .itdb, .icxs, .hvpl, .hplg, .hkdb, .mdbackup, .syncdb, .gho, .cas, .svg, .map, .wmo, .itm, .sb, .fos, .mov, .vdf, .ztmp, .sis, .sid, .ncf, .menu, .layout, .dmp, .blob, .esm, .vcf, .vtf, .dazip, .fpk, .mlx, .kf, .iwd, .vpk, .tor, .psk, .rim, .w3x, .fsh, .ntl, .arch00, .lvl, .snx, .cfr, .ff, .vpp_pc, .lrf, .m2, .mcmeta, .vfs0, .mpqge, .kdb, .db0, .dba, .rofl, .hkx, .bar, .upk, .das, .iwi, .litemod, .asset, .forge, .ltx, .bsa, .apk, .re4, .sav, .lbf, .slm, .bik, .epk, .rgss3a, .pak, .big, .wallet, .wotreplay, .xxx, .desc, .py, .m3u, .flv, .js, .css, .rb, .png, .jpeg, .txt, .p7c, .p7b, .p12, .pfx, .pem, .crt, .cer, .der, .x3f, .srw, .pef, .ptx, .r3d, .rw2, .rwl, .raw, .raf, .orf, .nrw, .mrwref, .mef, .erf, .kdc, .dcr, .cr2, .crw, .bay, .sr2, .srf, .arw, .3fr, .dng, .jpe, .jpg, .cdr, .indd, .ai, .eps, .pdf, .pdd, .psd, .dbf, .mdf, .wb2, .rtf, .wpd, .dxg, .xf, .dwg, .pst, .accdb, .mdb, .pptm, .pptx, .ppt, .xlk, .xlsb, .xlsm, .xlsx, .xls, .wps. 

Most Dharma ransomware infections happen locally and the strains we uncovered follow the same pattern.  

And here comes the worst news: even if you pay the ransom, the attacker will not decrypt your files.   

new dharma ransomware strain encrypted files

This malware strain and other similar ones will never try to connect to malicious command and control centers. It will generate its encrypting key locally, without sending it back to the attacker, so it’s a fake key.  

How to stay safe from the Dharma ransomware: 

The only way to be safe from ransomware is to proactively defend your devices by backing up your info often and using multiple security layers, not just Antivirus alone.   

For Dharma ransomware in particular, strong passwords and 2-factor authentications are mandatory, for the reasons we outlined above. 

The newest Dharma (CrySis) ransomware strains do not have decryption tools available so, in this case, prevention beats the cure. For online safety, we recommend you follow these anti-ransomware security measures: 

  1. Always backup your data in multiple locations. Use external sources such as a hard drive or in the cloud (Google Drive, Dropbox, etc.) to store it. Our guide will show you how to do it; 
  2. Always keep your software upgraded to their latest versions, as malware and ransomware usually targets outdated programs and apps. 
  3. Keep strong passwords for any account you use, either personal or in a business setting. At an enterprise level, Dharma ransomware can compromise an endpoint through brute-force attacks in order to gain access and execute the malicious file.  
  4. DO NOT open spam emails or download or copy attachments, links or files from unknown sources that could infect your computer; 
  5. For protection from common ransomware strains, consider using multiple security layers. Antivirus should be the base but you should also have proactive, anti-malware security solutions with behavioral analysis. Your browser should have protections like adblockers in place. 
  6. Given the rise of new types of malware, we remind you that security is not just about using all the latest security tools, it’s also about getting educated so you can better spot suspicious activity. These free educational resources can help you gain more knowledge in the cybersecurity field; 
  7. In case you do get infected with ransomware (Dharma or other files), before attempting decryption duplicate your encrypted files and keep a copy safe. That way, if a ransomware decryption tool becomes available in the future, you can eventually restore your files.  
  8. Lastly, never pay the ransom. As you can see, there is no guarantee and almost no chance to recover your data. 


Are you a security researcher and spotted even more Dharma variants in recent months? We would love to hear your input, so please get in touch.  

The post Security Alert: New Dharma Ransomware Strains Alarmingly Go Undetected By Antivirus Engines appeared first on Heimdal Security Blog.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Heimdal Security
We protect users and companies from cyber-criminal actions, by keeping confidential information and intellectual property safe. We build products focused on proactive cyber security and we dedicate a big part of our efforts to cyber security education for everyone.
Promoted Content
Expert Roundup: Is Internet Security a Losing Battle?
A while ago, one of our readers asked us to answer the following questions: Is Internet security a losing battle? How come companies are always 1-2 steps behind the fight? How can the bad guys respond so fast?That reader is certainly not the only one with this issue on his mind. Many Internet users feel discouraged by the current state of cyber crime and its consequences, and the rest don’t yet understand why they should care about it. We wanted to do something to change this.Naturally, users like you and me are not the only ones who wrestle this dilemma. Within the industry, cyber security experts are deeply involved in studying the causes and changes which have brought us to this point so they can create better solutions. Each of these experts brings a different perspective to the discussion, because no single person can ever claim to have the full picture.That is why we reached out to some of the most experienced cyber security specialists in the field to gather their thoughts on the topic. We believe that the questions we received are justified and they deserve an honest answer. And you will find plenty of them in the article!

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?