About Dharma/CrySiS Ransomware – 2022

Written by Brendan Smith

General information

The Dharma/CrySiS stands for a large family of ransomware threats that has been attacking PCs since 2016. Some analysts say that the modern actor – REvil ransomware – is a part of this group that forked at certain point of time. This is a ransomware encrypting the personal data stored on the victim’s PC.

Once the encryption is successfully implemented, the ransomware shows a message which demands a payment in Bitcoin for restoring the data.

Typical evidences of the attack:

Owners of infected devices will find a scary warning on their screens once the encryption process has been already performed. They may also be surprised to find out that all the available restore points are no longer available and that their documents are inaccessible because of encryption that added a new extension into each modified file.

Stages of Dharma ransomware infection:

As soon as Dharma infects the system, it makes its appropriate registry entries to maintain its presence and encrypts literally every file type, without modifying important system and malware files. It initiates the encryption mechanism by means of a complex encryption algorithm (AES-256 in conjunction with RSA-1024 asymmetric encryption), which is often used for fixed, removable, and network drives.

Preliminary to the encryption process, Dharma removes all the Windows Restore Points by executing the following command:

vssadmin delete shadows /all /quiet

The Trojan that injects the ransomware obtains the computer’s name and a range of encrypted files according to the specific formats, transferring them to a remote C&C server owned by the threat developer. In some cases with specific Windows versions, it also manages to run itself with administrator privileges, thus broadening the list of files that are subject to encryption.

Upon completion of the successful RDP-based attack, many people report that before actually displaying the scary alerts demanding the random to be paid, Crysis additionally removes all available security software installed on the attacked device.

Technical details

Dharma ransomware mostly comes via RDP, so please disable it or change the default port for RDP!

Dharma is identified by anti-virus programs as Ransom.Crysis or Ransom.Dharma. It attacks Windows systems. It mainly attacks businesses. It refers to the help of several channels for promotion:

  1. Dharma can also present itself as installation files for reputable programs, including anti-virus software. Dharma distributors will disguise these harmless-looking installers for various legitimate programs as downloadable executables, which they have been promoting via numerous online resources and shared networks.
  2. In many cases, Dharma is spread manually during the targeted attacks by means of the leaked or weak RDP credentials. This implies that a human attacker is getting access to the victim’s computer prior to injecting the malware by misusing the Windows RDP protocol on port 3389.
  3. Based on the analysis of the latest attack, Dharma was installed as a download link via a spam email. The link directed to a password-protected, self-extracting bundle installer. The password was specified for the potential victims in the email and, in addition to the Dharma executable, the installer contained an outdated removal utility elaborated by a well-known security developer.
  4. This social engineering approach aims to bypass existing security barriers. Encountering a well-known security solution in the installation package misled people and made them think that the downloadable file was secure, and this is the way the attack got successfully accomplished.

The following Dharma note names have been found:

  • README.txt
  • Readme to restore your files.txt
  • Decryption instructions.txt
  • Files encrypted!!.txt
  • Info.hta

Dharma typically appends the following extensions for all the files it encrypts:

.vbox, .crysis, .dharma, wallet, .java, .adobe, .viper1, .write, .bip, .zzzzz, .viper2, .arrow, .gif, .xtbl, .onion, .bip, .cezar, .combo, .cesar, .cmb, .AUF, .arena, .brrr, .btc, .cobra, .gamma, .heets, .java, .monro, .USA, .bkp, .xwx, .btc, .best, .bgtx, .boost, .heets, .waifu, .qwe, .gamma, .ETH, .bet, ta, .air, .vanss, . 888, .FUNNY, .amber, .gdb, .frend, .like, .KARLS, .xxxxx, .aqva, .lock, .korea, .plomb, .tron, .NWA, .AUDIT, .com, .cccmn, .azero, .Bear, .bk666, .fire, .stun, .myjob, .ms13, .war, .carcn, .risk, .btix, .bkpx, .he, .ets, .santa, .gate, .bizer, .LOVE, .LDPR, .MERS, .bat, .qbix, .aa1, and .wal, .14x, .hub, .aol, .harma, .NOV, 22btc, .text, .con30, .LOTUS, .wcg, .word, .ROGER, .pauq

The list of Dharma (CrySiS) Ransomware.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

Journalist, researcher, web content developer, grant proposal editor. Efficient and proficient on multiple platforms and in diverse media. Computer technology and security are my specialties.


  1. kashif March 31, 2020
    • Brendan Smith August 22, 2021
  2. icam b manalo October 30, 2022

Leave a Reply


This site uses Akismet to reduce spam. Learn how your comment data is processed.