CrySIS aka Dharma Ransomware

Written by Darshit Varotaria

I'm a Web Application Pentester, Security Researcher and Bug Hunter.

November 13, 2019

Hey Techies! Back again with a new blog. In this blog, I will be talking about CrySIS Ransomware which is also known as Dharma Ransomware. This ransomware is again in light these days and affecting businesses running Windows systems

Dharma Ransomware is in the market since 2016, but it has again shown pick in between Feb 2019 to April 2019. It has many variants and the latest one is found to be very difficult to reverse engineer. So, there is no fix for this ransomware till now and only option to decrypt your file is to pay the ransom with no guarantee to get your data back

Dharma-Ransomware-Note
Source: Coveware

Distribution of Dharma Ransomware:

Mainly, this ransomware comes as a malicious attachment in the spam emails. This attachment uses double extensions and Windows System will recognize it as non-executable file, but it is executable.

This ransomware can also affect Windows system by downloading legit software including antivirus vendors. These executable looks to be legit one distributed through various online portals and shared networks.

How Dharma Ransomware Infects Systems?

The ransomware maintains the persistence by creating registry entries in Windows System and deletes all the restore points. After that it will encrypt all files on the system except system and malware files.

The asymmetric encryption algorithm is very strong, which is a combination of AES-256 and RSA-1024, generally applied to network drives and removable devices.

Once all the files got encrypted, a ransom note will be displayed on the victim’s desktop. This note will be showing email address to contact attacker and the ransom amount usually 1 Bitcoin.

Some of the extensions of encrypted files are .crysis, .dharma, .viper1, .bip, .onion, .cezar, .cobra, .gamma, .lock etc.

Decrypt Dharma Ransomware:

If you are lucky and got affected by an old variant of Dharma Ransomware then you can find decryption tool here.

Countermeasures:

  1. Enable “Network Level Authentication“.
  2. Change your RDP Port to avoid discovery by port scanners. By default the RDP Port is 3389 for TCP and UDP.
  3. Do not rely on Windows restore points. Make an effective data backup strategy.
  4. Don’t download attachments from suspicious emails and avoid downloading files from unofficial sources.

You May Also Like…

1 Comment

  1. JamesSkync

    Great website! It looks very professional! Sustain the good job!

    Reply

Submit a Comment

Your email address will not be published. Required fields are marked *