Dharma aka Crysis Ransomware Overview
Dharma Ransomware aka Crysis ransomware is a part of the Ransomware Family.
This ransomware first appeared in Year 2016.
Afterwards ‘Ransomware Actors’ kept updating its variant and recently we have found the new variant of this ransomware which encrypts all the files located on the local drives as well as on the shared network drives and scrambled all the file names with “. Arrow Extension” in last.
Leaving the necessary Operating System and malware files untouched.
Flow Chart
As we know, the Spread Method is not exactly known. Hence,
Spread via hacking into RDP (Remote Desktop Protocol) Services
↓
Manually installing the ransomware.
↓
Once installed scan all local drives & start encrypting the files.
Technical Analysis of Dharma / Crysis Ransomware
File Name: Dharma.exe
MD5: 454FC75E5133D28879410008C0CD68F8
File Type: Executable
Spread Via: Not known exactly but According to the previous cases RDP was used.
Detailed Analysis with Screenshot:
Once Dharma Aka Crysis Ransomware has been executed, following processes will automatically take place.
Figure 1Process Created by Dharma Ransomware
Figure 2 Parent-Child Relationship
As shown above, this ransomware creates 1-child process of CMD.exe.
CMD.exe itself has 2 sub process:
- Mode.com: After restarting the machine, settings of the communications port (COM port) are turned to default.
- Vssadmin.exe: delete the shadow copies from the machine. Hence, they cannot be restored back.
After execution of the above commands, this ransomware start its encryption process.
During our analysis, we found that this ransomware is encrypting both PE (Portable Executable) & Non-PE (Non Portable Executable) files.
As shown below, following are some extensions that this ransomware looks for:
Figure 3 Extensions List
During the encryption process, it will append the extension in following format:
.id-[id].[email].arrow
For Example:
“ReadMe.txt” has been encrypted and renamed into “!ReadMe!.txt.id-2A5B3DF7.[maja_ashby2@aol.com].arrow”
Following are the “Mutexes” created by the ransomware:
|
syncronize_BK6AQGA
|
|
syncronize_BK6AQGU
|
|
\Sessions\1HGFSMUTEX
|
This ransomware looks for following running services and few programs, if it finds them, ransomware stops immediately and kills these specifics programs along with the services:
|
Outlook.exe
|
|
Postgres.exe
|
|
mysqld-nt.exe
|
|
sqlservr.exe
|
|
1cv77.exe
|
This ransomware has persistent capabilities which creates the following entries in the startup folder & registry:
|
Path
|
Value
|
|
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
|
dharma.exe=C:\Windows\System32\dharma.exe
|
Figure 4 Persistent Capabilities
This Ransomware supports various languages:
Figure 5 Language List
This ransomware also attempts to run itself with an administrator privileges, thus extending the list of files to be encrypted.
Figure 6 Attempts to run as Admin Privileges
This ransomware looks for ‘Mapped Network Drives’ & ‘RDP Connections’ to infect further.
Figure 7 Ransomware looks for network path to spread further
Figure 8 Ransomware looks for RDP Connections
This ransomware drops 2 ransom notes at various location on the system:
Figure 9 Ransom Notes Location
1. Info.HTA (Launched by an Autorun):
Figure 10 Ransom Note
- Files Encrypted.txt:
Figure 11 Ransom Note in Text Mode
As show above, both the ransom notes contain instructions to contact them at maja_ashby2@aol.com
In case, of no response in 24 hours, contact at dot_faldo@aol.com in order to get the payment instructions and the decrypted files.
As per the ransom note, “Ransomware actors” has written that they will decrypt 5 files at free of cost but also mentioned the condition that the total size of files must be less than 10Mb and should be non-archived.
Tips to Prevent virus and malware from Infecting Your System:
- Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for Chrome, Mozilla, and IE
- Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
- Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
- Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
- Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool
