Today, Michael Gillespie noticed what appeared to be a new variant of the Crysis/Dharma Ransomware uploaded to his ID-Ransomware site. Jakub Kroustek then discovered some samples to confirm that it was indeed a new Dharma variant. This new version will append the .Bip extension to encrypted files. It is not known exactly how this variant is being distributed, but in the past Dharma is typically spread by hacking into Remote Desktop Services and manually installing the ransomware.
When the Bip ransomware variant is installed, it will scan a computer for data files and encrypt them. When encrypting a file it will append an extension in the format of .id-[id].[email].bip. For example, a file called test.jpg would be encrypted and renamed to test.jpg.id-BCBEF350.[Beamsell@qq.com].bip.
It should be noted that this ransomware will encrypt mapped network drives, shared virtual machine host drives, and unmapped network shares. So it is important to make sure your network's shares are locked down so that only those who actually need access have permission.
You can see an example of a folder encrypted by the Bip Ransomware variant below.
When this variant encrypts a computer, it will also delete all of the shadow volume copes on the machine so that they can not be used to recover unencrypted files. It deletes them by running the vssadmin delete shadows /all /quiet command.
This ransomware will also create two different ransom notes on the infected the computer. One is the Info.hta file, which is launched by an autorun when a user logs into the computer.
The other note is called FILES ENCRYPTED.txt and can be found on the desktop.
Both of these ransom notes contain instructions to contact Beamsell@qq.com in order to get payment instructions.
Finally, the ransomware will configure itself to automatically start when you login to Windows. This allows it to encrypt new files that are created since it was last executed.
Unfortunately, at this time there is no way to decrypt files encrypted by the Bip Ransomware variant for free.
The only way to recover encrypted files is via a backup, or if you are incredibly lucky, through Shadow Volume Copies. Though Dharma does attempt to remove Shadow Volume Copies, in rare cases ransomware infections fail to do so for whatever reason. Due to this, if you do not have a viable backup, I always suggest people try as a last resort to restore encrypted files from Shadow Volume Copies as well.
For those who wish to discuss this ransomware or need support, you can use our dedicated Crysis Ransomware Help & Support Topic.
In order to protect yourself from Dharma, or from any ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.
As the Dharma Ransomware may be installed via hacked Remote Desktop services, it is very important to make sure its locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.
It is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services.
You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics. For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.
Last, but not least, make sure you practice the following good online security habits, which in many cases are the most important steps of all:
For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.
%UserProfile%\AppData\Roaming\Info.hta %UserProfile%\AppData\Roaming\[filename.exe] FILES ENCRYPTED.txt
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "filename.exe" = %UserProfile%\AppData\Roaming\filename.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "filename.exe" = %UserProfile%\AppData\Roaming\[filename.exe] HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "mshta.exe "%UserProfile%\AppData\Roaming\Info.hta"" = mshta.exe "%UserProfile%\AppData\Roaming\Info.hta" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "mshta.exe "C:\Windows\System32\Info.hta"" = "mshta.exe "C:\Windows\System32\Info.hta""
all your data has been locked us You want to return? write email Beamsell@qq.com
All your files have been encrypted! All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail Beamsell@qq.com Write this ID in the title of your message BCBEF350 In case of no answer in 24 hours write us to theese e-mails:Beamsell@qq.com You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. Free decryption as guarantee Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) How to obtain Bitcoins The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. https://localbitcoins.com/buy_bitcoins Also you can find other places to buy Bitcoins and beginners guide here: http://www.coindesk.com/information/how-can-i-buy-bitcoins/ Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.