To streamline their ransomware removal measures, cyber security folks are constantly hunting for new strains on the cyberspace. Lately, a group of them have discovered another variant of Dharma/Crysis.
The new Dharma variant is using a different extension (.bip) to lock down the files. Researchers have yet to find out the delivery method of this new variant. It is important to note that the previous versions of Dharma ransomware mostly used remote desktop services to deliver their payload. In some cases, manual installation of ransomware is also used to encrypt files on the targeted device.
A Lengthy Extension
Aside from appending Bip extension to the files, a lengthy email ID also becomes part of every encrypted file name. Let’s have a look at how a file encrypted by the new variant of Dharma ransomware looks like.
Normal file: Name.pdf
Encrypted file: Name.jpg.id-BCBEF350.[Beamsell@qq.com].bip
The new variant can be very damaging for shared networks because it particularly targets mapped network drives, shared host drives, and network shares. Infection of new Dharma variant can cause a lot of trouble for organizations with unlocked shared networks. They will need extensive ransomware removal measures to disinfect their systems.
To make sure that ransomware removal measures go in vain, new dharma also deletes shadow copies of the data that can be used to recover the encrypted files. Moreover, it is configured to automatically run to encrypt all the remaining files whenever you turn on the infected device.
Even though the operators leave ransom notes in two different formats – with ‘hta’ and ‘txt’ extensions- both of them don’t mention the amount of money they are asking for ransomware removal. The note simply directs the affected user to send a message to the email that is part of the extension of every encrypted file.
It is important to note that no decryption key is publically available to unlock Dharma-affected files. If you haven’t created any backups, then you will definitely require professional ransomware removal. You can also try your luck with the remaining shadow volume copies to recover some of your data.
To ensure your device connected to remote desktop services doesn’t become a victim of a malware attack, always establish an internet connection through VPN.