About Dharma/CrySiS Ransomware – 2024

Written by Brendan Smith

General information

The Dharma/CrySiS stands for a large family of ransomware threats attacking PCs since 2016. Some analysts say that the modern actor – REvil ransomware – is a part of this group that forked at a specific time. This is ransomware encrypting the personal data stored on the victim’s PC.

Once the encryption is successfully implemented, the ransomware shows a message demanding a payment in Bitcoin to restore the data.

Typical evidence of the attack:

Once the encryption process has been performed, owners of infected devices will find a scary warning on their screens. They may also be surprised to discover that all the available restore points are no longer available and that their documents are inaccessible because of encryption that added a new extension into each modified file. Dharma particulary aims at default backup methods, such as OneDrive and Volume Shadow Copy.

Stages of Dharma ransomware infection:

As soon as Dharma infects the system, it makes its appropriate registry entries to maintain its presence and encrypts every file type without modifying important system and malware files. It initiates the encryption mechanism using a complex encryption algorithm (AES-256 in conjunction with RSA-1024 asymmetric encryption), often used for fixed, removable, and network drives.

Preliminary to the encryption process, Dharma removes all the Windows Restore Points by executing the following command:

vssadmin delete shadows /all /quiet

The Trojan that injects the ransomware obtains the computer’s name and a range of encrypted files according to the specific formats, transferring them to a remote C&C server owned by the threat developer. In some cases with specific Windows versions, it also manages to run itself with administrator privileges, thus broadening the list of files subject to encryption.

Upon completion of the successful RDP-based attack, many people report that before actually displaying the scary alerts demanding the ransom to be paid, Crysis removes all available security software installed on the attacked device. I accent your attention upon RDP attacks as Dharma uses vulnerabilities in this remote access protocol in 70% of its attacks.

Technical details

Dharma ransomware mostly comes via RDP, so please disable it or change the default port for RDP!

Anti-virus programs identify Dharma as Ransom. Crysis or Ransom.Dharma. It attacks Windows systems. It mainly attacks businesses. It refers to the help of several channels for promotion:

  1. Dharma can also be present as installation files for reputable programs, including anti-virus software. Dharma distributors will disguise these harmless-looking installers for various legitimate programs as downloadable executables, which they have promoted via numerous online resources and shared networks.
  2. In many cases, Dharma is spread manually during the targeted attacks using leaked or weak RDP credentials. This implies that a human attacker is getting access to the victim’s computer before injecting the malware by misusing the Windows RDP protocol on port 3389.
  3. Based on the analysis of the latest attack, Dharma was installed as a download link via a spam email. The link is directed to a password-protected, self-extracting bundle installer. The password was specified for the potential victims in the email. In addition to the Dharma executable, the installer contained an outdated removal utility elaborated by a well-known security developer.
  4. This social engineering approach aims to bypass existing security barriers. Encountering a well-known security solution in the installation package misled people. It made them think that the downloadable file was secure, which was how the attack got accomplished.

The following Dharma note names have been found:

  • README.txt
  • Readme to restore your files.txt
  • Decryption instructions.txt
  • Files encrypted!!.txt
  • Info.hta

Dharma typically appends the following extensions for all the files it encrypts:

.vbox, .crysis, .dharma, wallet, .java, .adobe, .viper1, .write, .bip, .zzzzz, .viper2, .arrow, .gif, .xtbl, .onion, .bip, .cezar, .combo, .cesar, .cmb, .AUF, .arena, .brrr, .btc, .cobra, .gamma, .heets, .java, .monro, .USA, .bkp, .xwx, .btc, .best, .bgtx, .boost, .heets, .waifu, .qwe, .gamma, .ETH, .bet, ta, .air, .vanss, . 888, .FUNNY, .amber, .gdb, .frend, .like, .KARLS, .xxxxx, .aqva, .lock, .korea, .plomb, .tron, .NWA, .AUDIT, .com, .cccmn, .azero, .Bear, .bk666, .fire, .stun, .myjob, .ms13, .war, .carcn, .risk, .btix, .bkpx, .he, .ets, .santa, .gate, .bizer, .LOVE, .LDPR, .MERS, .bat, .qbix, .aa1, and .wal, .14x, .hub, .aol, .harma, .NOV, 22btc, .text, .con30, .LOTUS, .wcg, .word, .ROGER, .pauq

The list of Dharma (CrySiS) Ransomware.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

I'm Brendan Smith, a passionate journalist, researcher, and web content developer. With a keen interest in computer technology and security, I specialize in delivering high-quality content that educates and empowers readers in navigating the digital landscape.

With a focus on computer technology and security, I am committed to sharing my knowledge and insights to help individuals and organizations protect themselves in the digital age. My expertise in cybersecurity principles, data privacy, and best practices allows me to provide practical tips and advice that readers can implement to enhance their online security.


  1. kashif March 31, 2020
    • Brendan Smith August 22, 2021
  2. icam b manalo October 30, 2022

Leave a Reply