Ransomware Research
Dharma Ransomware
Dharma is a malicious ransomware strain that encrypts victim files and demands ransom payment for decryption. First observed in the wild on November 1, 2016, this ransomware has been actively targeting systems worldwide.
Quick Facts
- Ransomware Family
- Dharma
- First Seen
- November 1, 2016
How Dharma Ransomware Works
Targeted Files
Filenames format for most -> .id-XXXXXXXX.[DonovanTudor@aol.com].com2; .id-XXXXXXXX.[panama777@tutanota].Acuf2; .id-XXXXXXXX.[<email>].harma https://app.any.run/tasks/0d729459-78f3-47c0-b349-bd0d3e17b1b0/ https://app.any.run/tasks/2f37e683-faa4-4255-997c-a8f66580eecf/# https://www.bleepingcomputer.com/forums/t/632389/dharma-ransomware-id-idemaildharma-support-topic/page-172#entry4769474
File Encryption Patterns
Dharma modifies encrypted files using specific patterns to mark them as encrypted:
File extensions added after encryption:
..2020
..2021
..2048
..8800
..888
..0day
..1btc
..1dec
..2new
..4k
..aa1
..abc
..acuf2
..adobe
..aim
..air
..amber
..aqva
..arena
..arrow
..asd
..asus
..auf
..aye
..azero
..back
..bang
..bat
..bear
..beets
..best
..betta
..bgtx
..bip
..bitx
..biz
..bizer
..bk666
..bkp
..bkpx
..blend
..bmd
..bmo
..boost
..bot
..brrr
..bsc
..btc
..btix
..cap
..carcn
..cash
..cesar
..cezar
..cl
..cmb
..cmd
..cobra
..com
..com2
..combo
..crash
..crown
..cry
..cu
..data
..ddos
..dharma
..dqb
..dr
..drweb
..ebola
..eth
..fire
..frend
..funny
..gamma
..gate
..get
..gif
..gold
..good
..group
..gtf
..hack
..harma
..hat
..hccapx
..heets
..html
..hunt
..imi
..ipm
..jack
..java
..karls
..kick
..kjh
..korea
..kr
..krab
..ldpr
..like
..live
..lock
..log
..LOL
..love
..love$
..lx
..mark
..mers
..mgs
..mnbzr
..money
..monro
..ms13
..msh
..msplt
..myjob
..n3
..ncov
..news
..ninja
..nqix
..nw24
..nwa
..one
..onion
..oo7
..pay
..pbd
..pdf
..php
..plex
..plomb
..plut
..pphl
..prnds
..q1g
..qbix
..qbtex
..qbx
..qwex
..r2d2
..rec
..ridik
..risk
..rsa
..rxx
..santa
..save
..self
..smpl
..start
..stun
..syss
..tcprx
..teren
..tor13
..tron
..usa
..uta
..vanss
..virus
..vival
..waifu
..wal
..wallet
..war
..week
..why
..wiki
..wrar
..write
..xati
..xda
..xtbl
..xwx
..xxxx
..xxxxx
..yg
..ykup
..z9
..zoh
..zzzzz
..[crypt7@qq.com]
..[decryptoperator@qq.com]
..[f-data@protonmail.com]
..[helpsok@cock.li]
..[infinity@firemail.cc]
..blm
..EUR
..chuk
..AHP
..AUDIT
..lina
..WSHLP
..fresh
..cve
..FLYU
..zxcv
..gtsc
..dme
..LCK
..bH4T
..YUFL
..kut
..259
..Elvis
..zimba
..sss
..help
..dex
..ZIN
..SWP
..cvc
..SUKA
..msf
..21btc
..mpr
..bk
..gac
..4help
..yoAD
..14x
..hub
..aol
..dis
..ROGER
..NOV
..22btc
..Avaad
..crypt
..TomLe
..text
..con30
..LOTUS
..wcg
..word
..pauq
..four
..urs
..clman
..ORAL
..Jessy
..ROG
..biden
..eofyd
..duk
..LAO
..pirat
..liz
..bqd2
..4o4
..ctpl
..error
..2122
..HPJ
..bdev
..cum
..eye
..dhlp
..root
..rdp
..DELTA
..PARTY
..cnc
..ZIG
..nmc
..ZEUS
..pr09
..PB
..DT
..PcS
..pause
..OFF
..grej
..dance
..TOR
..GanP
..CLEAN
..JRB
..filters
..c0v
..dts
..TCYO
..6ix9
..RZA
..MS
..C1024
..zphs
..video
..ZILLA
..[quacksalver@onionmail.org].ver
..[MailPayment@decoding.biz].BTC
..credo
..ior
.-info@kraken.cc_worldcza@email.cz
..vbox
..[ht2707@email.vccs.edu].com
Ransom Note and Payment Demands
After encrypting files, Dharma displays ransom notes demanding payment for file recovery:
How to decrypt your files.txt
HOW TO DECRYPT YOUR DATA.txt
Ransom message:
notes/HOW TO DECRYPT YOUR DATA.txt
Note locations:
Desktop
StartUp
INFORMATION ! ATTENTION!!!.txt
Ransom message:
notes/INFORMATION ! ATTENTION!!!.txt
Note locations:
Desktop
StartUp
grand car back data.txt
Ransom message:
notes/grand car back data.txt
Note locations:
RootDiscs
Desktop
crann--recovery.txt
Ransom message:
notes/crann--recovery.txt
Note locations:
RootDiscs
Desktop
FILES ENCRYPTED.txt
Ransom message:
notes/FILES ENCRYPTED.txt
Note locations:
RootDiscs
Desktop
BACK DATA BASE.txt
Ransom message:
notes/BACK DATA BASE.txt
Note locations:
RootDiscs
Desktop
manual.txt
Ransom message:
notes/manual.txt
Note locations:
RootDiscs
Desktop
Files encrypted!!.txt
Ransom message:
notes/Files encrypted!!.txt
info-hunt.txt
Ransom message:
notes/info-hunt.txt
Note locations:
RootDiscs
Desktop
RETURN FILES.txt
Ransom message:
notes/RETURN FILES.txt
Note locations:
RootDiscs
Desktop
Decryption instructions mia.kokers recovery.txt
Ransom message:
notes/Decryption instructions mia.kokers recovery.txt
Note locations:
RootDiscs
Desktop
README!.txt
Ransom message:
notes/README!.txt
Note locations:
RootDiscs
Desktop
info.txt
Ransom message:
notes/info.txt
Note locations:
RootDiscs
Desktop
MANUAL.txt
Ransom message:
notes/MANUAL.txt
Note locations:
RootDiscs
Desktop
DATA BACK.txt
Ransom message:
notes/DATA BACK.txt
Note locations:
RootDiscs
Desktop
MANUALdata.txt
Ransom message:
notes/MANUALdata.txt
Note locations:
RootDiscs
Desktop
ZILLA-INFO.txt
Ransom message:
notes/ZILLA-INFO.txt
Note locations:
RootDiscs
Desktop
Good morninng.txt
Ransom message:
notes/Good morninng.txt
Note locations:
RootDiscs
Desktop
Info.hta
Ransom message:
notes/Info.hta
Note locations:
StartUp
STOPPER.txt
Ransom message:
notes/STOPPER.txt
Note locations:
Desktop
StartUp
dangir!data bloked.txt
Ransom message:
notes/dangir!data bloked.txt
Note locations:
Desktop
Ransom message:
notes/Decryption instructions.jpg
Note locations:
Desktop
Ransom message:
notes/INFORMATION HOoW TO DECRYYPT FILES.jpg
Note locations:
Desktop
Ransom message:
notes/MORE INFORMATION.jpg
Note locations:
Desktop
Technical Indicators
Associated Executable Files
The following executable files are associated with Dharma ransomware:
AcroTray.exe
VIBOH96JASRVFASI.exe
dh.exe
adobe.exe
worm.exe
Dharma.exe
Skanda.exe
Skanda.exe.bin
dharma1.exe.dontrun
TMBT11.exe
Medieval.exe
inter0712_bendix_cr2.exe
setup.exe
122334455.exe.POZOR
1.exe
1adobe.exe
payload_132MMK.exe_Virus
payload_132MMK.exe
aaaa2.exe
volantem_diem@aol.com.exe
volantem_diem@aol.com.exe.172903.gzquar
virus.exe.bin
payload_139MMK.exe
mandanos.exe
30GAGSAS.exe
chivas@aolonline.top.exe
IPV0Z3QN.exe
QAHHC504.exe
1FFVVT6D.exe
RollVibratin
RollVibratin.exe
_psi.exe
23.EXE
SERVICE_2017-11-04_12-18.EXE
FILE_178
payload_56TGSS.exe
program.exe
1taskmgr.exe
osnova.exe
taskmgr.exe
explore.exe
1taskhoste.exe
bild.exe.exe
FILE_3
bacon_2018-03-03_16-46.exe
CrySiS.exe
5401P0_payload.exe.bin
pleasedvfm.exe
myfile.exe
1cry.exe
detrimentalnue.exe
1smscry.exe
crysis.exe
withlove.exe
dharma.bin
executable.exe
aee.exe
Penland Kilby
Penland Kilby.exe
0609.EXE
Sdn
Sdn.exe
0709.exe
0709.EXE
HEAL.EXE
PassGen.exe
WscParent
WscParent.exe
unlikexpc.exe
dllhost1cr.exe
software.exe
SauvegardeProjet.exe
trbnugt3.exe
liketesc.exe
file.exe
crysis_2018-10-30 - copy.exe
SandraCombine
ProgSnake.exe
w2rujjry.exe
Unlock.exe
Unlock
1BULD_0611.EXE
ScanEngine
a2engine.dll
ScCls.dll
expIorer.exe
expiorer.exe
realtek.exe_
SVHOST.EXE
svhost.bin
svhost.exe
realtek.exe
TaskifierV.exe
k1zdujh2.exe
exlorer64.exe.bak
exlorer64.exe
explorer64.exe
cejeoh.exe
123.EXE
123.exe
1nl.exe
XMLViewer.exe
bwrdcmwd.exe
1vera.exe
1Vera
vera.exe
1Vera.exe
1vera.exe.del
1vera.exe1
sx5102_payload.exe
sx5102_payload.exe12
Discvery
Discvery.exe
!Apache HTTP.exe
2Explorer.ex_
AAAA.exe
2Explorer.exe
winhost.exe
Cosmetics
1801.exe
LogSession.exe
antimalware.exe
viabba~1.exe
exe.exe_
shafao.exe
shaofao.exe
Ebay Option
0402.exe
0402.exe1
locki.exe
update.exe
payload.exe
payload - copy.exe
exp1mod.exe
chrome64.bin
A7E776078C.tmp
chrome64b.exe
1csrss.exe
1csrss.exe12
11.exe
load0.exe
crysis_mers.exe
Crysis.exe
payload3.exe
taskhost.exe
mtapu.exe
expIorer32.exe
Pg
payload2.exe
curve.exe
p.exe
expiorer321.exe
reaItek.exe
agent1c.exe
demo.exe
MicosoftSearch.exe
Are
partmgr.sys
dmx111lm.exe
6IYL8XYU.exe
AGENT1C.EXE
BiosForhis
LevelledPeaked.exe
dmx35pd.exe
loadpay.exe
L3QZJ6_payload.exe
1c_x64_agent.exe
d2.pe32
d2.exe
1svhostru.exeCommon Startup
file.pe32
UnsolicitedAntialiased
1Black.exe
VPN_Express_license_generator.exe
3G6885.exe
Relative Discussion
Leftovers
payload.pe32
gjfkyfli;.exe
K2EY9PNL.exe
dmx777amx.pe32
dmx777amx.exe
1ElephantS.exe
5QA0BONA.exe
KTEO9SX7.exe
Takeaway (2).exe
Complex.exe
n.exe
Zipcloak Under
1c_bit.exe
adamsCopy.vexe
exec.exe
UncImmune
1с_.exe
Statement.exe
ContinuumLoosely
unpacked.exe
dmx777.exe
crysis_roger.exe
XDJIEAWU.exe
shaofao.pe32
Zip.exe
WinRar.exe
winhost.exee
driver.pe32
driver.exe
05484199.exe
CoronaVirus.exe
KMS_VL_ALL_AIO.exe
2_5474224874345991605.exe
Ransomware.CoronaVirus.exe
Trojan.Ransom.CoronaVirus
Fortnite.exe
CoronaVirus Ransomware.exe
Trojan.Ransom.CoronaVirus.exe
COVID-19.exe
Coronavirus.exe
1svhostru.exe
pizdavam.exe
004
tmp.exe
1pgp.exe
sample1.bin
svchost.exe
mewler.exe
DesktopTuner.exe
1U9C8B9.exe
Explorer.exe
DHL.exe
avflantuheems1984.exe
notepad.exe
reaitek.exe
E5M99S_payload.exe
chk_crysis_10_dec_19.exe
xxx.exe
SYSDEFENDER.EXE
payload.exe-11
lsas.exe
ASLIPUHA.EXE
1data_recovery.exe
1sass.exe
1task.exe
1344.exe
ClearWin.exe
1pros.exe
Elastio Can Help You
Don't let Dharma ransomware take over your data
Elastio provides advanced ransomware protection and recovery solutions to keep your organization safe.
About This Analysis
This Dharma ransomware analysis is part of Elastio's comprehensive ransomware detection database. Elastio provides advanced ransomware protection and recovery solutions, helping organizations defend against and recover from ransomware attacks like Dharma.
Last updated: July 30, 2025