Home Articles How the New Variant of Dharma Ransomware Trick Users

How the New Variant of Dharma Ransomware Trick Users


The new Dharma Ransomware is out on the loose and is evolving with time. Read on to know more about this latest ransomware…

Over the past few months, we have observed the changing face of ransomware attacks. The malicious attackers have changed their tactics and are now heavily camouflaging their ransomware as useful tools to deceive users.

A new variant of Dharma ransomware has been found that uses a new technique to hide its malicious activities. It is masquerading as an ESET AV Remover Installer to trick users into downloading it.

Using Real Anti-Virus for Attacks
Dharma ransomware is a version of Crysis, which is another dangerous malware. Dharma encrypts user files using Asymmetric Cryptography. It is a method in which bits present inside the file are encrypted. In the Asymmetric Cryptography process, the output of encryption is text, even if the input is non-text.

Dharma ransomware uses real Anti-Virus for malware attack. In the latest attempt to cause havoc online, Dharma Ransomware is spamming users with an e-mail titled ‘MSC-ALERT-IMPORTANT!’. The e-mail contains a system corrupt warning which prompts the user to click and download an older version of ESET Antivirus.

Distribution & Working Mechanism
The new variant Dharma ransomware is distributed through the age-old spam email technique. The email comes attached with a password-protected self-extracting archive named ‘Defender.exe’. If the users click on the download link, they are prompted for a password that is provided in the message.

Once the file is unlocked, the archive drops the malicious file ‘taskhost.exe’ as well as the installer of an old version of ESET AV remover renamed as ‘Defender_nt32_enu.exe. Trend Micro researchers have identified the new version of Dharma ransomware as RANSOM.WIN32.DHARMA.THDAAAI.

Once the Dharma ransomware variant is installed, it starts encrypting files in the background and the ESET AV Remover Installation begins. The victim will see the ESET GUI screen, a distraction from Dharma’s malicious activities.

Furthermore, the installation process of ESET antivirus is in no way related to Dharma Ransomware. It is to be noted that the encryption of files due to ransomware attacks and anti-virus installations occur separately.

Users can protect themselves by following the golden steps of regularly backing up their files offline, limiting administrative access and keeping their anti-virus updated. However, most users can start by changing their password to a strong one because another ransomware called Xwo is out there to get you.

To protect your computer from file encryption ransomware such as this, use reputable antivirus and anti-spyware programs. As an extra protection method, you can use programs called HitmanPro.Alert and Malwarebytes Anti-Ransomware, which artificially implant group policy objects into the registry to block rogue programs such as Dharma ransomware.

ESET has explained that the AV Remover Installer is executed only after a user’s interaction. Hence, users should be cautious while downloading such AV software.


Please enter your comment!
Please enter your name here

− 6 = 1