What is Dharma-Qbix Ransomware
Dharma-Qbix Ransomware is one of the subspecies of Crysis-Dharma-Cezar ransomware family, that appends .qbix extension to the files it encrypts. Virus utilizes extension, that consists of several parts: e-mail address, unique 8-digit ID (randomly generated) and .qbix suffix. In the end addition template looks like this – .id-{8-digit-id}.[{email-address}].qbix. For example, this extension was used on computers of some of the victims in USA:
- .id-{id}.[backdata@qq.com].qbix
When malware finishes encryption process, it places file: RETURN FILES.txt in the folders with encrypted files and on the desktop. Below you can see message from ransomware window. RETURN FILES.txt is the short text file with such message:
All FILES ENCRYPTED "RSA1024"
All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL backdata@qq.com
IN THE LETTER WRITE YOUR ID, YOUR ID 1E857D00
IF YOU ARE NOT ANSWERED, WRITE TO EMAIL:dta@cock.li
YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON'T PULL TIME, WAITING YOUR EMAIL
FREE DECRYPTION FOR PROOF
You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
DECRYPTION PROCESS:
When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you:
1. Decryption program.
2. Detailed instruction for decryption.
3. And individual keys for decrypting your files.
!WARNING!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
All your data is encrypted!
for return write to mail:
backdata@qq.com or dta@cock.li
As a rule, Dharma-Qbix Ransomware virus asks for $500 to $1500 ransom, that have to be paid in Monero, Dash or BTC (BitCoins), and in return they promise to send decryption key. However, malefactors often do not hold back promises and do not send any decryption keys, or just ignore e-mails from victims, who paid the ransom. It is not advised to send any funds to the hackers. Usually, after some period of time security specialists from antivirus companies and individual researchers break the algorithms and release decoding key. Its noteworthy, that some files can be restored by using backups, shadow copies, previous versions of files or file-recovery software and instructions given on this page. Learn how to remove Dharma-Qbix Ransomware and decrypt .qbix files in Windows 10, 8, 7 with help of this article.
How Dharma-Qbix Ransomware infected your PC
Dharma-Qbix Ransomware uses spam mailing with malicious .docx attachments. Such attachments have malicious macros, that runs when user opens the file. This macros downloads executable from the remote server, that, in its turn, starts encryption process. Virus can also use Remote Desktop services to infiltrate victim’s PCs. It is important to know, that this ransomware can encrypt mapped network drives, shared virtual machine host drives, and unmapped network shares. It is necessary to control access to network shares. After encryption, the shadow copies of the files are deleted by the command:
vssadmin.exe vssadmin delete shadows /all /quiet
Virus assigns certain ID with the victims, that is used to name those files and supposedly to send decryption key. In order to prevent infection with this type of threats in future we recommend you to use SpyHunter 5 or Norton Antivirus.
Download Dharma-Qbix Ransomware Removal Tool
To remove Dharma-Qbix Ransomware completely, we recommend you to use Norton Antivirus from Symantec. It detects and removes all files, folders and registry keys of Dharma-Qbix Ransomware.
How to remove Dharma-Qbix Ransomware manually
It is not recommended to remove Dharma-Qbix Ransomware manually, for safer solution use Removal Tools instead.
Dharma-Qbix Ransomware files:
Info.hta
{randomfilename}.exe
FILES ENCRYPTED.txt
DHL.exe
Dharma-Qbix Ransomware registry keys:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "filename.exe" = %UserProfile%\AppData\Roaming\{randomfilename}.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "filename.exe" = %UserProfile%\AppData\Roaming\{randomfilename}.exe
How to decrypt and restore .qbix files
Use automated decryptors
Use following tool from Kaspersky called Rakhni Decryptor, that can decrypt .qbix files. Download it here:
There is no purpose to pay the ransom, because there is no guarantee you will receive the key, but you will put your bank credentials at risk.
If you are infected with Dharma-Qbix Ransomware and removed it from your computer you can try to decrypt your files. Antivirus vendors and individuals create free decryptors for some crypto-lockers. To attempt to decrypt them manually you can do the following:
Use Stellar Phoenix Data Recovery Pro to restore .qbix files
- Download Stellar Phoenix Data Recovery Pro.
- Select location to scan for lost files and click Scan button.
- Wait until Quick and Deep scans finish.
- Preview found files and restore them.
Using Windows Previous Versions option:
- Right-click on infected file and choose Properties.
- Select Previous Versions tab.
- Choose particular version of the file and click Copy.
- To restore the selected file and replace the existing one, click on the Restore button.
- In case there is no items in the list choose alternative method.
Using Shadow Explorer:
- Download Shadow Explorer program.
- Run it and you will see screen listing of all the drives and the dates that shadow copy was created.
- Select the drive and date that you want to restore from.
- Right-click on a folder name and select Export.
- In case there are no other dates in the list, choose alternative method.
If you are using Dropbox:
- Login to the DropBox website and go to the folder that contains encrypted files.
- Right-click on the encrypted file and select Previous Versions.
- Select the version of the file you wish to restore and click on the Restore button.
How to protect computer from viruses like Dharma-Qbix Ransomware in future
1. Get special anti-ransomware software
Use ZoneAlarm Anti-Ransomware
Famous antivirus brand ZoneAlarm by Check Point released a comprehensive tool, that will help you with active anti-ransomware protection, as an additional shield to your current protection. The tool provides Zero-Day protection against ransomware and allows you to recover files. ZoneAlarm Anti-Ransomware is compatible with all other antiviruses, firewalls, and security software except ZoneAlarm Extreme (already shipped with ZoneAlarm Anti-Ransomware) or Check Point Endpoint products. The killer features of this application are: automatic file recovery, overwrite protection that instantly and automatically recovers any encrypted files, file protection that detects and blocks even unknown encryptors.
2. Back up your files
Regardless of success of protection against ransomware threats, you can save your files using simple online backup. Cloud services are quite fast and cheap nowadays. There is more sense using online backup, than creating physical drives, that can get infected and encrypted when connected to PC or get damaged from dropping or hitting. Windows 10 and 8/8.1 users can find pre-installed OneDrive backup solution from Microsoft. It is actually one of the best backup services on the market, and has reasonable pricing plans. Users of earlier versions can get acquainted with it here. Make sure to backup and sync most important files and folders in OneDrive.
3. Do not open spam e-mails and protect your mailbox
Malicious attachments to spam or phishing e-mails is most popular method of ransomware distribution. Using spam filters and creating anti-spam rules is good practice. One of the world leaders in anti-spam protection is MailWasher Pro. It works with various desktop applications, and provides very high level of anti-spam protection.