Ransomware Research

Dharma Ransomware

Dharma is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on November 1, 2016, this ransomware has been actively targeting systems worldwide.

Quick Facts

Ransomware Family: Dharma
First Seen: November 1, 2016

How Dharma Ransomware Works

Targeted Files

Filenames format for most -> .id-XXXXXXXX.[DonovanTudor@aol.com].com2; .id-XXXXXXXX.[panama777@tutanota].Acuf2; .id-XXXXXXXX.[<email>].harma https://app.any.run/tasks/0d729459-78f3-47c0-b349-bd0d3e17b1b0/ https://app.any.run/tasks/2f37e683-faa4-4255-997c-a8f66580eecf/# https://www.bleepingcomputer.com/forums/t/632389/dharma-ransomware-id-idemaildharma-support-topic/page-172#entry4769474

File Encryption Patterns

Dharma modifies encrypted files using specific patterns to mark them as encrypted:

File extensions added after encryption:

..2020..2021..2048..8800..888..0day..1btc..1dec..2new..4k..aa1..abc..acuf2..adobe..aim..air..amber..aqva..arena..arrow..asd..asus..auf..aye..azero..back..bang..bat..bear..beets..best..betta..bgtx..bip..bitx..biz..bizer..bk666..bkp..bkpx..blend..bmd..bmo..boost..bot..brrr..bsc..btc..btix..cap..carcn..cash..cesar..cezar..cl..cmb..cmd..cobra..com..com2..combo..crash..crown..cry..cu..data..ddos..dharma..dqb..dr..drweb..ebola..eth..fire..frend..funny..gamma..gate..get..gif..gold..good..group..gtf..hack..harma..hat..hccapx..heets..html..hunt..imi..ipm..jack..java..karls..kick..kjh..korea..kr..krab..ldpr..like..live..lock..log..LOL..love..love$..lx..mark..mers..mgs..mnbzr..money..monro..ms13..msh..msplt..myjob..n3..ncov..news..ninja..nqix..nw24..nwa..one..onion..oo7..pay..pbd..pdf..php..plex..plomb..plut..pphl..prnds..q1g..qbix..qbtex..qbx..qwex..r2d2..rec..ridik..risk..rsa..rxx..santa..save..self..smpl..start..stun..syss..tcprx..teren..tor13..tron..usa..uta..vanss..virus..vival..waifu..wal..wallet..war..week..why..wiki..wrar..write..xati..xda..xtbl..xwx..xxxx..xxxxx..yg..ykup..z9..zoh..zzzzz..[crypt7@qq.com]..[decryptoperator@qq.com]..[f-data@protonmail.com]..[helpsok@cock.li]..[infinity@firemail.cc]..blm..EUR..chuk..AHP..AUDIT..lina..WSHLP..fresh..cve..FLYU..zxcv..gtsc..dme..LCK..bH4T..YUFL..kut..259..Elvis..zimba..sss..help..dex..ZIN..SWP..cvc..SUKA..msf..21btc..mpr..bk..gac..4help..yoAD..14x..hub..aol..dis..ROGER..NOV..22btc..Avaad..crypt..TomLe..text..con30..LOTUS..wcg..word..pauq..four..urs..clman..ORAL..Jessy..ROG..biden..eofyd..duk..LAO..pirat..liz..bqd2..4o4..ctpl..error..2122..HPJ..bdev..cum..eye..dhlp..root..rdp..DELTA..PARTY..cnc..ZIG..nmc..ZEUS..pr09..PB..DT..PcS..pause..OFF..grej..dance..TOR..GanP..CLEAN..JRB..filters..c0v..dts..TCYO..6ix9..RZA..MS..C1024..zphs..video..ZILLA..[quacksalver@onionmail.org].ver..[MailPayment@decoding.biz].BTC..credo..ior.-info@kraken.cc_worldcza@email.cz..vbox..[ht2707@email.vccs.edu].com

Ransom Note and Payment Demands

After encrypting files, Dharma displays ransom notes demanding payment for file recovery:

fileHow to decrypt your files.txt

fileHOW TO DECRYPT YOUR DATA.txt

Ransom message:

notes/HOW TO DECRYPT YOUR DATA.txt

Note locations:

DesktopStartUp

fileINFORMATION ! ATTENTION!!!.txt

Ransom message:

notes/INFORMATION ! ATTENTION!!!.txt

Note locations:

DesktopStartUp

filegrand car back data.txt

Ransom message:

notes/grand car back data.txt

Note locations:

RootDiscsDesktop

filecrann--recovery.txt

Ransom message:

notes/crann--recovery.txt

Note locations:

RootDiscsDesktop

fileFILES ENCRYPTED.txt

Ransom message:

notes/FILES ENCRYPTED.txt

Note locations:

RootDiscsDesktop

fileBACK DATA BASE.txt

Ransom message:

notes/BACK DATA BASE.txt

Note locations:

RootDiscsDesktop

filemanual.txt

Ransom message:

notes/manual.txt

Note locations:

RootDiscsDesktop

fileFiles encrypted!!.txt

Ransom message:

notes/Files encrypted!!.txt

fileinfo-hunt.txt

Ransom message:

notes/info-hunt.txt

Note locations:

RootDiscsDesktop

fileRETURN FILES.txt

Ransom message:

notes/RETURN FILES.txt

Note locations:

RootDiscsDesktop

fileDecryption instructions mia.kokers recovery.txt

Ransom message:

notes/Decryption instructions mia.kokers recovery.txt

Note locations:

RootDiscsDesktop

fileREADME!.txt

Ransom message:

notes/README!.txt

Note locations:

RootDiscsDesktop

fileinfo.txt

Ransom message:

notes/info.txt

Note locations:

RootDiscsDesktop

fileMANUAL.txt

Ransom message:

notes/MANUAL.txt

Note locations:

RootDiscsDesktop

fileDATA BACK.txt

Ransom message:

notes/DATA BACK.txt

Note locations:

RootDiscsDesktop

fileMANUALdata.txt

Ransom message:

notes/MANUALdata.txt

Note locations:

RootDiscsDesktop

fileZILLA-INFO.txt

Ransom message:

notes/ZILLA-INFO.txt

Note locations:

RootDiscsDesktop

fileGood morninng.txt

Ransom message:

notes/Good morninng.txt

Note locations:

RootDiscsDesktop

fileInfo.hta

Ransom message:

notes/Info.hta

Note locations:

StartUp

fileSTOPPER.txt

Ransom message:

notes/STOPPER.txt

Note locations:

DesktopStartUp

filedangir!data bloked.txt

Ransom message:

notes/dangir!data bloked.txt

Note locations:

Desktop

screenshot

Ransom message:

notes/Decryption instructions.jpg

Note locations:

Desktop

screenshot

Ransom message:

notes/INFORMATION HOoW TO DECRYYPT FILES.jpg

Note locations:

Desktop

screenshot

Ransom message:

notes/MORE INFORMATION.jpg

Note locations:

Desktop

Technical Indicators

Associated Executable Files

The following executable files are associated with Dharma ransomware:

AcroTray.exe
VIBOH96JASRVFASI.exe
dh.exe
adobe.exe
worm.exe
Dharma.exe
Skanda.exe
Skanda.exe.bin
dharma1.exe.dontrun
TMBT11.exe
Medieval.exe
inter0712_bendix_cr2.exe
setup.exe
122334455.exe.POZOR
1.exe
1adobe.exe
payload_132MMK.exe_Virus
payload_132MMK.exe
aaaa2.exe
volantem_diem@aol.com.exe
volantem_diem@aol.com.exe.172903.gzquar
virus.exe.bin
payload_139MMK.exe
mandanos.exe
30GAGSAS.exe
chivas@aolonline.top.exe
IPV0Z3QN.exe
QAHHC504.exe
1FFVVT6D.exe
RollVibratin
RollVibratin.exe
_psi.exe
23.EXE
SERVICE_2017-11-04_12-18.EXE
FILE_178
payload_56TGSS.exe
program.exe
1taskmgr.exe
osnova.exe
taskmgr.exe
explore.exe
1taskhoste.exe
bild.exe.exe
FILE_3
bacon_2018-03-03_16-46.exe
CrySiS.exe
5401P0_payload.exe.bin
pleasedvfm.exe
myfile.exe
1cry.exe
detrimentalnue.exe
1smscry.exe
crysis.exe
withlove.exe
dharma.bin
executable.exe
aee.exe
Penland Kilby
Penland Kilby.exe
0609.EXE
Sdn
Sdn.exe
0709.exe
0709.EXE
HEAL.EXE
PassGen.exe
WscParent
WscParent.exe
unlikexpc.exe
dllhost1cr.exe
software.exe
SauvegardeProjet.exe
trbnugt3.exe
liketesc.exe
file.exe
crysis_2018-10-30 - copy.exe
SandraCombine
ProgSnake.exe
w2rujjry.exe
Unlock.exe
Unlock
1BULD_0611.EXE
ScanEngine
a2engine.dll
ScCls.dll
expIorer.exe
expiorer.exe
realtek.exe_
SVHOST.EXE
svhost.bin
svhost.exe
realtek.exe
TaskifierV.exe
k1zdujh2.exe
exlorer64.exe.bak
exlorer64.exe
explorer64.exe
cejeoh.exe
123.EXE
123.exe
1nl.exe
XMLViewer.exe
bwrdcmwd.exe
1vera.exe
1Vera
vera.exe
1Vera.exe
1vera.exe.del
1vera.exe1
sx5102_payload.exe
sx5102_payload.exe12
Discvery
Discvery.exe
!Apache HTTP.exe
2Explorer.ex_
AAAA.exe
2Explorer.exe
winhost.exe
Cosmetics
1801.exe
LogSession.exe
antimalware.exe
viabba~1.exe
exe.exe_
shafao.exe
shaofao.exe
Ebay Option
0402.exe
0402.exe1
locki.exe
update.exe
payload.exe
payload - copy.exe
exp1mod.exe
chrome64.bin
A7E776078C.tmp
chrome64b.exe
1csrss.exe
1csrss.exe12
11.exe
load0.exe
crysis_mers.exe
Crysis.exe
payload3.exe
taskhost.exe
mtapu.exe
expIorer32.exe
Pg
payload2.exe
curve.exe
p.exe
expiorer321.exe
reaItek.exe
agent1c.exe
demo.exe
MicosoftSearch.exe
Are
partmgr.sys
dmx111lm.exe
6IYL8XYU.exe
AGENT1C.EXE
BiosForhis
LevelledPeaked.exe
dmx35pd.exe
loadpay.exe
L3QZJ6_payload.exe
1c_x64_agent.exe
d2.pe32
d2.exe
1svhostru.exeCommon Startup
file.pe32
UnsolicitedAntialiased
1Black.exe
VPN_Express_license_generator.exe
3G6885.exe
Relative Discussion
Leftovers
payload.pe32
gjfkyfli;.exe
K2EY9PNL.exe
dmx777amx.pe32
dmx777amx.exe
1ElephantS.exe
5QA0BONA.exe
KTEO9SX7.exe
Takeaway (2).exe
Complex.exe
n.exe
Zipcloak Under
1c_bit.exe
adamsCopy.vexe
exec.exe
UncImmune
1с_.exe
Statement.exe
ContinuumLoosely
unpacked.exe
dmx777.exe
crysis_roger.exe
XDJIEAWU.exe
shaofao.pe32
Zip.exe
WinRar.exe
winhost.exee
driver.pe32
driver.exe
05484199.exe
CoronaVirus.exe
KMS_VL_ALL_AIO.exe
2_5474224874345991605.exe
Ransomware.CoronaVirus.exe
Trojan.Ransom.CoronaVirus
Fortnite.exe
CoronaVirus Ransomware.exe
Trojan.Ransom.CoronaVirus.exe
COVID-19.exe
Coronavirus.exe
1svhostru.exe
pizdavam.exe
004
tmp.exe
1pgp.exe
sample1.bin
svchost.exe
mewler.exe
DesktopTuner.exe
1U9C8B9.exe
Explorer.exe
DHL.exe
avflantuheems1984.exe
notepad.exe
reaitek.exe
E5M99S_payload.exe
chk_crysis_10_dec_19.exe
xxx.exe
SYSDEFENDER.EXE
payload.exe-11
lsas.exe
ASLIPUHA.EXE
1data_recovery.exe
1sass.exe
1task.exe
1344.exe
ClearWin.exe
1pros.exe

Elastio Can Help You

Don't let Dharma ransomware take over your data

Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.

Learn More Request a Demo

About This Analysis

This Dharma ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Dharma.

Last updated: July 30, 2025

Recent Ransomware

Explore other threats in our database

View all ransomware

Dharma Ransomware

Quick Facts

How Dharma Ransomware Works

Targeted Files

File Encryption Patterns

Ransom Note and Payment Demands

Technical Indicators

Associated Executable Files

Don't let Dharma ransomware take over your data

About This Analysis

Recent Ransomware

Product

Sales

Support

Company

Partners

Knowledge Hub

Social