Threat Research

Dharma Ransomware Analysis: What It’s Teaching Us

By David Maciejak and Kenny Yongjian Yang | November 12, 2018

FortiGuard Labs Threat Research Report

In 2018, a popular brewery was slammed by a ransomware attack, while at about the same time a major maritime port experienced an identical issue that affected ship movements into and out of the harbor. Both cases were the result of the Dharma ransomware exploit.

In fact, a lot of new Dharma waves appeared in a short period of time, with some new extensions appearing, such as .bip, .combo, and now .gamma.

What is Dharma Ransomware?

Dharma ransomware encrypts files in order to demand a ransom in exchange for a decryption key. It is often delivered manually by targeting leaked or vulnerable RDP credentials.

FortiGuard Labs has been monitoring the Dharma (also named CrySiS) malware family for a few years. As we demonstrate below even though the Dharma ransomware continues to be active, the attackers are not really updating their mode of operation, but continue to rely on a proven tactic to find and infect new victims, which is to leverage badly secured RDP services to gain access to the network.

Credentials can be found by either purchasing access online on the dark web, or by bruteforcing.
Once authenticated, however, a Dharma attacker can map a hard drive remote share or just use the clipboard to pass malicious content to the victim. From that point on, the attacker has everything needed to pivot within the network to propagate the infection to other servers or devices.

New Dharma Ransomware Variant Discovered

Recently, the FortiGuard Labs team found a new variant of the Dharma ransomware software. Its encrypted files have new extensions, such as .xxxxx and .like. After in-depth investigation and analysis, however, we found that when compared to previous versions (such as .java, .bip, .combo, .arrow, .arena and .gamma), this new malware variant (.xxxxx and .like) does not include a substantial upgrade to the code, but simply uses a different loader program.

Dharma Decryption Tools

The first variant of the Dharma ransomware appeared as early as 2006, and has continued to this day with regular updates. Because of the continuous evolution of this ransomware, free decryptors for previous malware versions were released by Kaspersky and Eset. Unfortunately, files encrypted with the new variants of Dharma ransomware are not currently decryptable for free as was the case for the older variants.

If you are looking for previous released decryptors, you can find them on the NoMoreRansom website (, which is a joint initiative from law enforcement agencies and security companies to combat ransomware.

How does Dharma Ransomware Work?

When the new Dharma ransomware variant is installed on a victim’s computer, it executes and decrypts data as necessary from the .data resource section. Initially, the entire .data section is encrypted using the RC4 algorithm and a 128byte key stored at the beginning of the data block. The malware then uses the key to decrypt the strings, step by step. Firstly, API names and addresses are decrypted and stored into the stack, which are then loaded. In addition, the malware decrypts commands used to delete shadow copies, file extension lists, attacker email addresses, the encrypted file extension, the ransom note, and other various strings that are also encrypted.

Fig 1. Strings decryption

Then, the Dharma ransomware configures itself to automatically start up when the user logs in to Windows. This allows it to encrypt new files that are created since it was last executed.

Fig 2. Auto run setting

The malware then invokes cmd.exe to delete Volume Shadow Copies, using the command:

vssadmin delete shadows /all /quiet.

Fig 3. command vssadmin delete shadows /all /quiet

The sample starts with mapped drives before moving onto the root of the OS drive and encrypting files via implementation of the AES algorithm. When encrypting a file, it will append an extension in the format of .id-[id].[email].xxx. For example, a file called test.txt would be encrypted and renamed to[].combo.

Fig 4. Files encrypted with the Dharma Ransomware combo variant

After encrypting the files, the Dharma ransomware pops up two different ransom notes on the victim’s computer. One is the Info.hta file, which is launched by an autorun when a user logs into the computer.  

Fig 5. Ransom note HTA

The other note is called FILES ENCRYPTED.txt and can be found on the desktop.

Fig 6. Ransom note text

FortiGuard Labs has been monitoring this malware carefully since the beta version of this family was first discovered. From a ransomware perspective, Dharma continues to be active and at the top of our threat list. Our telemetry also shows that for the past 6 months more than 25% of detection is originating from Turkey.

The cyberwar is not at rest. Turkish sources have reported that Dharma has attacked more than 100 Greek websites. Details of these attacks seem to confirm news reports about the political tensions between Turkey and Greece regarding islands ownership in the Aegean sea, showing that ransomware attacks can be used for activism as well as for financial gain.


1.     FortiGuard’s Antivirus service detects these samples as W32/Crysis.L!tr.ransom     

2.     FortiSandbox rates the Dharma/Crysis sample as High Risk


In addition to the previous protections outlined, Fortinet is advising customers to follow the security best practices below:

1.     Backup Your Data

The best response to ransomware such as Dharma is to be prepared. To protect your computer from Dharma or any other ransomware, it is important to use good computing practices and security software. First, you should always have a reliable and tested data backup that can be used to recover devices or networks in an emergency (such as a ransomware attack). Rather than paying a ransom, the most effective method is to replace compromised operating systems, software, and applications with clean backed-up versions. 

2.     Access Management

Since Dharma Ransomware is usually installed by hacking Remote Desktop Services, it is important to ensure that those services are properly locked. This includes ensuring that computers running Remote Desktop Services do not connect directly to the Internet. Instead, put any computers running Remote Desktop behind the VPN so that only people with a VPN account on the network can access them.

It should be noted that this ransomware will encrypt mapped network drives, shared virtual machine host drives, and unmapped network shares. So it is important to make sure your network's shares are locked down so that only those who actually need access have permission.

FortiGuard Labs will continue to track this family and share our findings with readers as new details come to light.

Target file extension list

.1cd .3ds .3fr .3g2 .3gp .7z .accda .accdb .accdc .accde .accdt .accdw .adb .adp .ai .ai3 .ai4 .ai5 .ai6 .ai7 .ai8 .anim .arw .as .asa .asc .ascx .asm .asmx .asp .aspx .asr .asx .avi .avs .backup .bak .bay .bd .bin .bmp .bz2 .c .cdr .cer .cf .cfc .cfm .cfml .cfu .chm .cin .class .clx .config .cpp .cr2 .crt .crw .cs .css .csv .cub .dae .dat .db .dbf .dbx .dc3 .dcm .dcr .der .dib .dic .dif .divx .djvu .dng .doc .docm .docx .dot .dotm .dotx .dpx .dqy .dsn .dt .dtd .dwg .dwt .dx .dxf .edml .efd .elf .emf .emz .epf .eps .epsf .epsp .erf .exr .f4v .fido .flm .flv .frm .fxg .geo .gif .grs .gz .h .hdr .hpp .hta .htc .htm .html .icb .ics .iff .inc .indd .ini .iqy .j2c .j2k .java .jp2 .jpc .jpe .jpeg .jpf .jpg .jpx .js .jsf .json .jsp .kdc .kmz .kwm .lasso .lbi .lgf .lgp .log .m1v .m4a .m4v .max .md .mda .mdb .mde .mdf .mdw .mef .mft .mfw .mht .mhtml .mka .mkidx .mkv .mos .mov .mp3 .mp4 .mpeg .mpg .mpv .mrw .msg .mxl .myd .myi .nef .nrw .obj .odb .odc .odm .odp .ods .oft .one .onepkg .onetoc2 .opt .oqy .orf .p12 .p7b .p7c .pam .pbm .pct .pcx .pdd .pdf .pdp .pef .pem .pff .pfm .pfx .pgm .php .php3 .php4 .php5 .phtml .pict .pl .pls .pm .png .pnm .pot .potm .potx .ppa .ppam .ppm .pps .ppsm .ppt .pptm .pptx .prn .ps .psb .psd .pst .ptx .pub .pwm .pxr .py .qt .r3d .raf .rar .raw .rdf .rgbe .rle .rqy .rss .rtf .rw2 .rwl .safe .sct .sdpx .shtm .shtml .slk .sln .sql .sr2 .srf .srw .ssi .st .stm .svg .svgz .swf .tab .tar .tbb .tbi .tbk .tdi .tga .thmx .tif .tiff .tld .torrent .tpl .txt .u3d .udl .uxdc .vb .vbs .vcs .vda .vdr .vdw .vdx .vrp .vsd .vss .vst .vsw .vsx .vtm .vtml .vtx .wb2 .wav .wbm .wbmp .wim .wmf .wml .wmv .wpd .wps .x3f .xl .xla .xlam .xlk .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xml .xps .xsd .xsf .xsl .xslt .xsn .xtp .xtp2 .xyze .xz .zip











-= FortiGuard Lion Team =-


Sign up for our weekly FortiGuard Threat Brief.

Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.