Ransomware

Dharma virus, unlike similar types of ransomware, does not change desktop background, but creates README.txt or Document.txt.[amagnus@india.com].zzzzz files and places them in each folder with compromised files. Text files contain message stating that users have to pay the ransom using Bitcoins and amount is approximately $300-$500 depending on ransomware version. The private decryption key is stored on a remote server, and there currently impossible to break the encryption of the latest version.

Dharma-Html Ransomware is one of the types of encryption viruses based on the code of the family of Crysis-Dharma-Cezar ransomware. Version, that is under review today has certain differences. It adds .html extension to encrypted files and uses other e-mail addresses for communication. Dharma-Html Ransomware, as well as other latest Dharma variations, doesn't have decryptor, that can automatically decrypt encoded data. However, using instructions below can help you recover some files. Dharma-Html Ransomware creates suffix, that consists of several parts: prefix "id-", identification number (alphanumeric and unique for each computer), developer's e-mail address and .html extension. The pattern of the filename after encryption looks like this: file called 1.doc will be converted to 1.doc.id-{8-digit-id}.[{email-address}].html.

Jamper Ransomware is a nasty file-encryption virus, that uses AES algorithm to encrypt your files and extorts a ransom of 1 to 3 BTC (Bitcoins). This malware is the successor of VegaLocker (Vega Ransomware) and predecessor of Buran Ransomware. Jamper Ransomware, depending on the version, may add .jamper, .jumper or .SONIC extensions to files it affects. After ransomware activity, your files become inaccessible and unreadable. Malware creates ransom note file called ---README---.TXT after it finishes. Jamper Ransomware removes shadow copies of files (VSS), disables recovery features of Windows, which makes it difficult to recover encrypted files.

Dharma-Good Ransomware is typical representative of encryption viruses from Crysis-Dharma-Cezar ransomware family. This sample appends .good extension to affected files. Dharma-Good Ransomware adds complex extension, that consists of unique id, developer's e-mail and .good suffix. As a result, file named 1.doc will be converted to 1.doc.id-{8-digit-id}.[{email-address}].good. Dharma-Good Ransomware developers can extort from $500 to $15000 ransom in BTC (BitCoins) for decryption. Usually, it is quite big amount of money, because hackers pay the commission to Dharma Ransomware as Service (RaaS) owners. Using cryptocurrency makes it impossible to track the payee. Besides, victims of such viruses often get scammed, and malefactors don't send any keys even after paying the ransom. We do not recommend to pay any money to malefactors. Usually, after some period of time security specialists from antivirus companies or individual researchers break the algorithms and release decryption keys. Mention, that some files can be restored by using backups, shadow copies, previous versions of files or file-recovery software.

Dharma-MERS Ransomware is another iteration of extremely dangerous Crysis-Dharma-Cezar ransomware family, that, in this case, adds .MERS extension to the end of the files it encrypts. Virus, actually, composes suffix using several parts: e-mail address, unique 8-digit identification number (randomly generated) and .MERS extension. So, finally, encoded files will receive following complex suffix - .id-{8-digit-id}.[{email-address}].MERS. As a rule, Dharma-type Ransomware extorts for $500 to $1500 ransom, that can be paid in Monero, Dash or BTC (BitCoins), and in return they promise to send decryption key. Using cryptocurrency makes it impossible to track the payee. We do not recommend to pay any money to malefactors. Usually, after some period of time security specialists from antivirus companies or individual researchers break the algorithms and release decryption keys. Mention, that some files can be restored by using backups, shadow copies, previous versions of files or file-recovery software.

Dharma-Qbix Ransomware is one of the subspecies of Crysis-Dharma-Cezar ransomware family, that appends .bkpx extension to the files it encrypts. Virus utilizes extension, that consists of several parts: e-mail adress, unique 8-digit ID (randomly generated) and .qbix suffix. As a rule, Dharma-Qbix Ransomware virus asks for $500 to $1500 ransom, that have to be paid in Monero, Dash or BTC (BitCoins), and in return they promise to send decryption key. However, malefactors often do not hold back promises and do not send any decryption keys, or just ignore e-mails from victims, who paid the ransom. It is not advised to send any funds to the hackers. Usually, after some period of time security specialists from antivirus companies and individual researchers break the algorithms and release decoding key. Its noteworthy, that some files can be restored by using backups, shadow copies, previous versions of files or file-recovery software and instructions given on this page.

GlobeImposter 2.0 Ransomware is the second generation of file-encrypting ransomware virus GlobeImposter. The name "GlobeImposter" was originnaly given to it by crypto-ransomware identification service called "ID-Ransomware", because of the assignment by the extortioners of the "proprietary" ransom note from the Globe Ransomware family. The purpose was to frighten the victims, to confuse the researchers, to discredit the decryption programs released for the Globe-family. Thus, all Globe-imitators, which are not decrypted by the decryption utilities released for Globe 1-2-3, received the conditional name GlobeImposter, and after that - GlobeImposter 2.0. Virus can be detected by various antivirus programs as Trojan.Encoder.7325, Trojan.Encoder.10737, Trojan.Encoder.11539, Ransom_FAKEPURGE.A or Ransom.GlobeImposter.