What's Dharma ransomware?

In this article you'll find out must-know information about the Dharma Ransomware.




Dharma Ransomware is an encryption ransomware. It belongs to the virus family of Trojan and it's used to do some damage to user's personal data and to demand money from him/her for getting it back.


According to the statistics, this malware have already infected an enormous number of computers from all over the world and is constantly going on its criminal activity. It seems to target only the directories inside the user’s directory on Windows, with encrypted files receiving the suffix [bitcoin143@india . com]. dharma which is added to the end of each file name.


There are some cases, when the ransom note is absent. The danger of the Dharma is that a user can overlook its presence on his PC, because it doesn't have any influence over the way his computer works. But a file infected by Dharma will be encrypted unless this malware is removed.

Does Dharma have different names?

It's reported that this ransomware can have different names: Arrow, wallet, xtbl and many others. Some computer users have come across such name as «skanda.exe" and they haven't known how to act in this situation. It’s turned out the Dharma Ransomware. Also, a holder, named 'opFirlma' is known to contain the application "plinck.exe". Some specialists believe that names are created at random. There are some cases when it has a ransom note, which is in a text file, called ' readme.txt", and delivers the message:


At the moment, your system is not protected.

We can fix it and restore files.

To restore the system write to this address:

...@ india . com'

Why does it change its names?

The name is directly dependent on the variant being used in attack.

How does the dharma infection work?

Unfortunately, this ransomware works in the following way: it encrypts a target file and a person, to whom it belongs, can't do anything with it unless he gets a decryption key... but he faces a serious problem. People who have infected his file start to extort him: they will demand a ransom from him unless he gives up to them.


Dharma ransomware is suspected to belong to Crysis Ransomware family, which has got a notorious fame for making numerous attacks since the summer of 2016. It’s considered that the Dharma gets inside with the help of corrupted email attachments. They take advantage of vulnerabilities in macros on a victim's pc. To take control of victim's data it uses the AES-256 encryption. Usually its attack are aimed at certain directories and here they are:


  • %UserProfile%\Desktop
  • • %UserProfile%\Downloads
  • • %UserProfile%\Documents
  • • %UserProfile%\Pictures
  • • %UserProfile%\Music
  • • %UserProfile%\Videos

What to do if the dharma's managed to capture a file?

If this unpleasant thing happens to you, don't surrender to any extortionists' conditions and don't pay a ransom in any case. The only thing, left to do is to keep calm. There are cases, when a victim follows extortionists' instructions, but they don't give him the decryption key. However they go on demanding more and more money. Specialists don't recommend a victim to act like this, because sometimes even extortionists don't know how to decrypt an infected file, because it can be the very case when the dharma is under development.

How to prevent this ransomware from getting inside?

To establish a good back-up system is thought to be the best solution to prevent a problem. It works in the following way:

  • 1. A user makes backup copies as a precaution.
  • 2. In the case of infecting a file he restores it from a backup copy. He manages to get away with it without paying any ransom. Moreover, to back up files must become a regular practice.


The last but not the least, be careful with checking emails is highly recommended, because as we remember the dharma ransomware can break in your device via corrupted email attachments. If we follow this simple advice, the dharma will stop its existence in the future.


Removal instruction

If you are MAC user, follow this guide: how to decrypt files on MAC.




Step 1. Boot the system into safe mode

  • Press Start
  • Type Msconfig and press Enter

Safe mode. Step 1


  • Select Boot tab

Safe mode. Step 2



  • Select Safe boot and press Ok

More information about Safe mode: What is Safe Mode and how to boot computer in Safe Mode


Step 2. Show all hidden files and folders

  • Press Start
  • Click on Control Panel

Show hidden files. Step 1


  • Select Appearance and Personalization

Show hidden files. Step 2


  • Click on Folder Options
  • Select View tab
  • Select Show hidden files, folders and drives

Show hidden files. Step 3


  • Press Ok


Step 3. Remove virus files


Check next folders to find suspicious files:

  • %TEMP%
  • %ProgramData%


Step 4. Fix hosts file

  • Go to %SystemRoot%\System32\drivers\etc\ folder



  • Open hosts file using Notepad or other text editor
  • Delete suspicious elements
  • Basic hosts file looks like this:



Step 5. Clean registry (for experienced users)

  • Click Start
  • Type Regedit.exe and press Enter
  • Clean startup registry keys
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\Run
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE(HKEY_CURRENT_USER)\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

Step 6. Disable Safe Mode and restart computer

  • Press Start
  • Type Msconfig and press Enter
  • Select Boot tab
  • Remove the check near Safe boot






Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [1 Vote]

You have no rights to post comments



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience