Home Ransomware Detailed Technical Analysis of Dharma Ransomware (Crysis Ransomware)
Detailed Technical Analysis of Dharma Ransomware (Crysis Ransomware) Detailed Technical Analysis of Dharma Ransomware (Crysis Ransomware)
Ransomware,News | 05/07/2018

Detailed Technical Analysis of Dharma Ransomware (Crysis Ransomware)

In this technical analysis of the Dharma Ransomware aka Crysis Ransomware, our (HTRI TEAM) security experts review the details of the ransomware campaign and steps to take to protect against such attacks. This ransomware 1st appeared in 2016 (2018 UPDATED).

Dharma aka Crysis Ransomware Overview

Dharma Ransomware aka Crysis ransomware is a part of the Ransomware Family.

This ransomware first appeared in Year 2016.

Afterwards ‘Ransomware Actors’ kept updating its variant and recently we have found the new variant of this ransomware which encrypts all the files located on the local drives as well as on the shared network drives and scrambled all the file names with “. Arrow Extension” in last.

Leaving the necessary Operating System and malware files untouched.

Flow Chart

As we know, the Spread Method is not exactly known. Hence,

Spread via hacking into RDP (Remote Desktop Protocol) Services

Manually installing the ransomware.

Once installed scan all local drives & start encrypting the files.

Technical Analysis of Dharma / Crysis Ransomware


File Name: Dharma.exe

MD5: 454FC75E5133D28879410008C0CD68F8

File Type: Executable

Spread Via:  Not known exactly but According to the previous cases RDP was used.


See Also: Free Adware Cleaner and Removal Tool 

Detailed Analysis with Screenshot:

Once Dharma Aka Crysis Ransomware has been executed, following processes will automatically take place.


dharma aka crysis ransomware

Figure 1Process Created by Dharma Ransomware

dharma aka crysis ransomware fig 2

Figure 2 Parent-Child Relationship

As shown above, this ransomware creates 1-child process of CMD.exe.

 CMD.exe itself has 2 sub process:

  1. Mode.com: After restarting the machine, settings of the communications port (COM port) are turned to default.
  2. Vssadmin.exe: delete the shadow copies from the machine. Hence, they cannot be restored back.

After execution of the above commands, this ransomware start its encryption process.

During our analysis, we found that this ransomware is encrypting both PE (Portable Executable) & Non-PE (Non Portable Executable) files.

As shown below, following are some extensions that this ransomware looks for:

dharma crysis ransomware extension list

Figure 3 Extensions List

During the encryption process, it will append the extension in following format:


For Example:

ReadMe.txt” has been encrypted and renamed into “!ReadMe!.txt.id-2A5B3DF7.[maja_ashby2@aol.com].arrow

Following are the “Mutexes” created by the ransomware:





This ransomware looks for following running services and few programs, if it finds them, ransomware stops immediately and kills these specifics programs along with the services:







This ransomware has persistent capabilities which creates the following entries in the startup folder & registry:






dharma aka crysis ransomware persistance capabilities

Figure 4 Persistent Capabilities

This Ransomware supports various languages:

dharma crysis ransomware ransomware technical analysis language list

Figure 5 Language List

This ransomware also attempts to run itself with an administrator privileges, thus extending the list of files to be encrypted.

dharma crysis ransomware admin privileges

Figure 6 Attempts to run as Admin Privileges

This ransomware looks for ‘Mapped Network Drives’ & ‘RDP Connections’ to infect further.

dharma ransomware looks like network

Figure 7 Ransomware looks for network path to spread further

dharma ransomware looks for rdp connection

Figure 8 Ransomware looks for RDP Connections

This ransomware drops 2 ransom notes at various location on the system:

dharma crysis ransomware notes location

Figure 9 Ransom Notes Location

See Also: Malware Analysis Report on new Agent Tesla

1.       Info.HTA (Launched by an Autorun):

Figure 10 Ransom Note



 ransom note

  1. Files Encrypted.txt:

ransom note in tect mode

Figure 11 Ransom Note in Text Mode

As show above, both the ransom notes contain instructions to contact them at maja_ashby2@aol.com

In case, of no response in 24 hours, contact at dot_faldo@aol.com in order to get the payment instructions and the decrypted files.

As per the ransom note, “Ransomware actors” has written that they will decrypt 5 files at free of cost but also mentioned the condition that the total size of files must be less than 10Mb and should be non-archived.


Tips to Prevent virus and malware from Infecting Your System:
  1. Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
    So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for ChromeMozilla, and IE
  2. Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
  3. Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
  4. Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
  5. Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool



× Zoom Image