New Variant of Dharma Ransomware Identified

A new variant of Dharma ransomware has been detected. The ransomware is capable of encrypting files on a local device as well files on mapped network drives, unmapped network shares, and shared virtual machine hosts.

Dharma was first seen in November 2016 and shares several traits with CrySiS ransomware. While a decryptor was released in 2017 that allowed businesses to recover files without paying the ransom, new Dharma ransomware variants are often released which cannot be decrypted without payment of a ransom. There have been at least ten variants of Dharma ransomware released since the original version was first detected in 2016.

This year has seen two new Dharma variants released. In March, a variant of Dharma ransomware was detected that used the .arrow extension. This month a new variant has been detected that uses the .bip extension. Neither of these new Dharma variants can be decrypted for free. Recovery from an infection is only possible by paying the ransom or recovering encrypted files from backups.

The latest variant of this ransomware was detected by Security researcher Michael Gillespie, with other security researchers confirming this was indeed a new Dharma variant. What is not known is how this ransomware variant is being distributed. It is possible that email is being used, although the threat actors behind past variants of the ransomware appear to favor manual installation of the ransomware after gaining access to devices through brute force attacks on Remote Desktop Services.

As is now common with new ransomware variants, infection will see Windows Shadow Volume copies deleted. Victims are notified of the infection on boot and a notice is also dropped on the desktop. The ransomware is configured to run again when a user logs into Windows, ensuring recently created files that have been missed by the initial encryption are also encrypted.

While many ransomware variants stipulate the ransomware amount in the notice, the threat actors behind this attack require the victim to email them to find out how much they must pay for the decryption keys. This is an increasingly common tactic as it allows the attackers to set the ransom demand based on the perceived ability of the victim to pay.

To protect against the threat, businesses should ensure they have robust backup policies. Multiple backups should be created and those backups should be tested to make sure file recovery is possible. Anti-malware and anti-virus solutions should be used that have behavioral detection capabilities to ensure an attack can be detected in progress, even if the signature of the ransomware is not present in the database.

Network privileges should be limited as far as possible and Remote Desktop services should be disabled unless strictly necessary. If required, strong passwords should be set to reduce susceptibility to brute force attacks and devices with Remote Desktop Services enabled should not be allowed to connect directly to the Internet.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of