Ransomware Research
Dharma Ransomware
Dharma is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on November 1, 2016, this ransomware has been actively targeting systems worldwide.
Quick facts
Ransomware Family
Dharma
First Seen
November 1, 2016
How Dharma ransomware works
File encryption patterns
Dharma modifies encrypted files using specific patterns to mark them as encrypted:
Extensions added after encryption
.2020.2021.2048.8800.888.0day.1btc.1dec.2new.4k.aa1.abc.acuf2.adobe.aim.air.amber.aqva.arena.arrow.asd.asus.auf.aye.azero.back.bang.bat.bear.beets.best.betta.bgtx.bip.bitx.biz.bizer.bk666.bkp.bkpx.blend.bmd.bmo.boost.bot.brrr.bsc.btc.btix.cap.carcn.cash.cesar.cezar.cl.cmb.cmd.cobra.com.com2.combo.crash.crown.cry.cu.data.ddos.dharma.dqb.dr.drweb.ebola.eth.fire.frend.funny.gamma.gate.get.gif.gold.good.group.gtf.hack.harma.hat.hccapx.heets.html.hunt.imi.ipm.jack.java.karls.kick.kjh.korea.kr.krab.ldpr.like.live.lock.log.LOL.love.love$.lx.mark.mers.mgs.mnbzr.money.monro.ms13.msh.msplt.myjob.n3.ncov.news.ninja.nqix.nw24.nwa.one.onion.oo7.pay.pbd.pdf.php.plex.plomb.plut.pphl.prnds.q1g.qbix.qbtex.qbx.qwex.r2d2.rec.ridik.risk.rsa.rxx.santa.save.self.smpl.start.stun.syss.tcprx.teren.tor13.tron.usa.uta.vanss.virus.vival.waifu.wal.wallet.war.week.why.wiki.wrar.write.xati.xda.xtbl.xwx.xxxx.xxxxx.yg.ykup.z9.zoh.zzzzz.[crypt7@qq.com].[decryptoperator@qq.com].[f-data@protonmail.com].[helpsok@cock.li].[infinity@firemail.cc].blm.EUR.chuk.AHP.AUDIT.lina.WSHLP.fresh.cve.FLYU.zxcv.gtsc.dme.LCK.bH4T.YUFL.kut.259.Elvis.zimba.sss.help.dex.ZIN.SWP.cvc.SUKA.msf.21btc.mpr.bk.gac.4help.yoAD.14x.hub.aol.dis.ROGER.NOV.22btc.Avaad.crypt.TomLe.text.con30.LOTUS.wcg.word.pauq.four.urs.clman.ORAL.Jessy.ROG.biden.eofyd.duk.LAO.pirat.liz.bqd2.4o4.ctpl.error.2122.HPJ.bdev.cum.eye.dhlp.root.rdp.DELTA.PARTY.cnc.ZIG.nmc.ZEUS.pr09.PB.DT.PcS.pause.OFF.grej.dance.TOR.GanP.CLEAN.JRB.filters.c0v.dts.TCYO.6ix9.RZA.MS.C1024.zphs.video.ZILLA.[quacksalver@onionmail.org].ver.[MailPayment@decoding.biz].BTC.credo.ior.-info@kraken.cc_worldcza@email.cz.vbox.[ht2707@email.vccs.edu].com
Ransom note and payment demands
After encrypting files, Dharma displays ransom notes demanding payment for file recovery:
fileHow to decrypt your files.txt
fileHOW TO DECRYPT YOUR DATA.txt
notes/HOW TO DECRYPT YOUR DATA.txt
Location: Desktop, StartUp
fileINFORMATION ! ATTENTION!!!.txt
notes/INFORMATION ! ATTENTION!!!.txt
Location: Desktop, StartUp
fileDANGIR DATA BLOKED.txt
notes/DANGIR DATA BLOKED.txt
Location: Desktop, StartUp
filegrand car back data.txt
notes/grand car back data.txt
Location: RootDiscs, Desktop
filecrann--recovery.txt
notes/crann--recovery.txt
Location: RootDiscs, Desktop
fileFILES ENCRYPTED.txt
notes/FILES ENCRYPTED.txt
Location: RootDiscs, Desktop
fileBACK DATA BASE.txt
notes/BACK DATA BASE.txt
Location: RootDiscs, Desktop
filemanual.txt
notes/manual.txt
Location: RootDiscs, Desktop
fileFiles encrypted!!.txt
notes/Files encrypted!!.txt
fileinfo-hunt.txt
notes/info-hunt.txt
Location: RootDiscs, Desktop
fileRETURN FILES.txt
notes/RETURN FILES.txt
Location: RootDiscs, Desktop
fileDecryption instructions mia.kokers recovery.txt
notes/Decryption instructions mia.kokers recovery.txt
Location: RootDiscs, Desktop
fileREADME!.txt
notes/README!.txt
Location: RootDiscs, Desktop
fileinfo.txt
notes/info.txt
Location: RootDiscs, Desktop
fileMANUAL.txt
notes/MANUAL.txt
Location: RootDiscs, Desktop
fileDATA BACK.txt
notes/DATA BACK.txt
Location: RootDiscs, Desktop
fileMANUALdata.txt
notes/MANUALdata.txt
Location: RootDiscs, Desktop
fileZILLA-INFO.txt
notes/ZILLA-INFO.txt
Location: RootDiscs, Desktop
fileGood morninng.txt
notes/Good morninng.txt
Location: RootDiscs, Desktop
fileInfo.hta
notes/Info.hta
Location: StartUp
fileSTOPPER.txt
notes/STOPPER.txt
Location: Desktop, StartUp
filedangir!data bloked.txt
notes/dangir!data bloked.txt
Location: Desktop
screenshot
notes/Decryption instructions.jpg
Location: Desktop
screenshot
notes/INFORMATION HOoW TO DECRYYPT FILES.jpg
Location: Desktop
screenshot
notes/MORE INFORMATION.jpg
Location: Desktop
screenshot
notes/Hello!!!.jpg
Location: Desktop
Technical indicators
Associated executable files
The following executable files are associated with Dharma ransomware:
- AcroTray.exe
- VIBOH96JASRVFASI.exe
- dh.exe
- adobe.exe
- worm.exe
- Dharma.exe
- Skanda.exe
- Skanda.exe.bin
- dharma1.exe.dontrun
- TMBT11.exe
- Medieval.exe
- inter0712_bendix_cr2.exe
- setup.exe
- 122334455.exe.POZOR
- 1.exe
- 1adobe.exe
- payload_132MMK.exe_Virus
- payload_132MMK.exe
- aaaa2.exe
- volantem_diem@aol.com.exe
- volantem_diem@aol.com.exe.172903.gzquar
- virus.exe.bin
- payload_139MMK.exe
- mandanos.exe
- 30GAGSAS.exe
- chivas@aolonline.top.exe
- IPV0Z3QN.exe
- QAHHC504.exe
- 1FFVVT6D.exe
- RollVibratin
- RollVibratin.exe
- _psi.exe
- 23.EXE
- SERVICE_2017-11-04_12-18.EXE
- FILE_178
- payload_56TGSS.exe
- program.exe
- 1taskmgr.exe
- osnova.exe
- taskmgr.exe
- explore.exe
- 1taskhoste.exe
- bild.exe.exe
- FILE_3
- bacon_2018-03-03_16-46.exe
- CrySiS.exe
- 5401P0_payload.exe.bin
- pleasedvfm.exe
- myfile.exe
- 1cry.exe
- detrimentalnue.exe
- 1smscry.exe
- crysis.exe
- withlove.exe
- dharma.bin
- executable.exe
- aee.exe
- Penland Kilby
- Penland Kilby.exe
- 0609.EXE
- Sdn
- Sdn.exe
- 0709.exe
- 0709.EXE
- HEAL.EXE
- PassGen.exe
- WscParent
- WscParent.exe
- unlikexpc.exe
- dllhost1cr.exe
- software.exe
- SauvegardeProjet.exe
- trbnugt3.exe
- liketesc.exe
- file.exe
- crysis_2018-10-30 - copy.exe
- SandraCombine
- ProgSnake.exe
- w2rujjry.exe
- Unlock.exe
- Unlock
- 1BULD_0611.EXE
- ScanEngine
- a2engine.dll
- ScCls.dll
- expIorer.exe
- expiorer.exe
- realtek.exe_
- SVHOST.EXE
- svhost.bin
- svhost.exe
- realtek.exe
- TaskifierV.exe
- k1zdujh2.exe
- exlorer64.exe.bak
- exlorer64.exe
- explorer64.exe
- cejeoh.exe
- 123.EXE
- 123.exe
- 1nl.exe
- XMLViewer.exe
- bwrdcmwd.exe
- 1vera.exe
- 1Vera
- vera.exe
- 1Vera.exe
- 1vera.exe.del
- 1vera.exe1
- sx5102_payload.exe
- sx5102_payload.exe12
- Discvery
- Discvery.exe
- !Apache HTTP.exe
- 2Explorer.ex_
- AAAA.exe
- 2Explorer.exe
- winhost.exe
- Cosmetics
- 1801.exe
- LogSession.exe
- antimalware.exe
- viabba~1.exe
- exe.exe_
- shafao.exe
- shaofao.exe
- Ebay Option
- 0402.exe
- 0402.exe1
- locki.exe
- update.exe
- payload.exe
- payload - copy.exe
- exp1mod.exe
- chrome64.bin
- A7E776078C.tmp
- chrome64b.exe
- 1csrss.exe
- 1csrss.exe12
- 11.exe
- load0.exe
- crysis_mers.exe
- Crysis.exe
- payload3.exe
- taskhost.exe
- mtapu.exe
- expIorer32.exe
- Pg
- payload2.exe
- curve.exe
- p.exe
- expiorer321.exe
- reaItek.exe
- agent1c.exe
- demo.exe
- MicosoftSearch.exe
- Are
- partmgr.sys
- dmx111lm.exe
- 6IYL8XYU.exe
- AGENT1C.EXE
- BiosForhis
- LevelledPeaked.exe
- dmx35pd.exe
- loadpay.exe
- L3QZJ6_payload.exe
- 1c_x64_agent.exe
- d2.pe32
- d2.exe
- 1svhostru.exeCommon Startup
- file.pe32
- UnsolicitedAntialiased
- 1Black.exe
- VPN_Express_license_generator.exe
- 3G6885.exe
- Relative Discussion
- Leftovers
- payload.pe32
- gjfkyfli;.exe
- K2EY9PNL.exe
- dmx777amx.pe32
- dmx777amx.exe
- 1ElephantS.exe
- 5QA0BONA.exe
- KTEO9SX7.exe
- Takeaway (2).exe
- Complex.exe
- n.exe
- Zipcloak Under
- 1c_bit.exe
- adamsCopy.vexe
- exec.exe
- UncImmune
- 1с_.exe
- Statement.exe
- ContinuumLoosely
- unpacked.exe
- dmx777.exe
- crysis_roger.exe
- XDJIEAWU.exe
- shaofao.pe32
- Zip.exe
- WinRar.exe
- winhost.exee
- driver.pe32
- driver.exe
- 05484199.exe
- CoronaVirus.exe
- KMS_VL_ALL_AIO.exe
- 2_5474224874345991605.exe
- Ransomware.CoronaVirus.exe
- Trojan.Ransom.CoronaVirus
- Fortnite.exe
- CoronaVirus Ransomware.exe
- Trojan.Ransom.CoronaVirus.exe
- COVID-19.exe
- Coronavirus.exe
- 1svhostru.exe
- pizdavam.exe
- 004
- tmp.exe
- 1pgp.exe
- sample1.bin
- svchost.exe
- mewler.exe
- DesktopTuner.exe
- 1U9C8B9.exe
- Explorer.exe
- DHL.exe
- avflantuheems1984.exe
- notepad.exe
- reaitek.exe
- E5M99S_payload.exe
- chk_crysis_10_dec_19.exe
- xxx.exe
- SYSDEFENDER.EXE
- payload.exe-11
- lsas.exe
- ASLIPUHA.EXE
- 1data_recovery.exe
- 1sass.exe
- 1task.exe
- 1344.exe
- ClearWin.exe
- 1pros.exe
About this analysis
This Dharma ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery, helping organizations defend against and recover from ransomware attacks like Dharma.
Last updated: December 30, 2025
Detection coverage
Elastio detects Dharma inside your data and backups.
The Hunt Engine uses Deep File Inspection to identify Dharma across live data, replicated data, and backups. If this family is in your environment, Elastio finds it before encryption completes. Run a scan against your recovery points to confirm.
Recent ransomware
Explore other threats in our database