Header

A new variant of the Dharma Ransomware was released this week that appends the .brrr extension to encrypted files. This variant was first discovered by Jakub Kroustek who tweeted a link to the sample on VirusTotal.

Below I have outlined how this ransomware infects a computer, what happens when your files become encrypted, and how to protect yourself.

Unfortunately, there is no way to decrypt files infected with the Dharma Brrr Ransomware variant for free. For those who wish to discuss this ransomware or receive support, you can use our dedicated Dharma Ransomware Support & Help topic.

Distributed through hacked Remote Desktop Services

The Dharma Ransomware family, including this Brrr variant, is manually installed by attackers who hack into Remote Desktop Services connected directly to the Internet. These attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.

There are also underground sites that sell known credentials for publicly accessible computers running remote Remote Desktop Services that attackers can buy.

Once they gain access to the computer they will install the ransomware and let it encrypt the computer. If the attackers are able to encrypt other computers on the network, they will attempt to do so as well.

How the Brrr Dharma Ransomware encrypts a computer

When the Brrr ransomware variant is installed on a computer, it will scan it for files and encrypt them. When encrypting a file it will append an extension in the format of .id-[id].[email].brrr. For example, a file called test.jpg would be encrypted and renamed to test.jpg.id-BCBEF350.[paydecryption@qq.com].brrr.

It should be noted that this ransomware will encrypt mapped network drives, shared virtual machine host drives,  and unmapped network shares. So it is important to make sure your network's shares are locked down so that only those who actually need access have permission.

You can see an example of a folder encrypted by the Brrr Ransomware variant below.

Files encrypted with the Dharma Brrr Ransomware Variant
Files encrypted with the Dharma Brrr Ransomware Variant

When encrypting files, the ransomware will create two different ransom notes on the infected the computer. One is the Info.hta file, which is launched by an autorun when a user logs into the computer.  The HTML version of the ransom note can be seen below.

Dharma Brrr Ransom Note
Dharma Brrr Ransom Note

The other note is called FILES ENCRYPTED.txt and can be found on the desktop.

Brrr Text Ransom Note
Brrr Text Ransom Note

Both of these ransom notes contain information on what happened to the victim's files and how to contact paydecryption@qq.com in order to get payment instructions.

Finally, the ransomware will configure itself to automatically start when you login to Windows. This allows it to encrypt new files that are created since it was last executed.

Once again, at this time there is no way to decrypt files infected with the Dharma Brrr Ransomware variant for free. For those who wish to discuss this ransomware or receive support, you can use our dedicated Dharma Ransomware Support & Help topic.

How to protect yourself from the Dharma Brrr Ransomware

In order to protect yourself from Dharma, or from any ransomware, it is important that you use good computing habits and security software. First and foremost, you should always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

As the Dharma Ransomware is typically installed via hacked Remote Desktop services, it is very important to make sure its locked down correctly. This includes making sure that no computers running remote desktop services are connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.

It is also important to setup proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services.

You should also have security software that incorporates behavioral detections to combat ransomware and not just signature detections or heuristics.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.

Last, but not least, make sure you practice the following good online security habits, which in many cases are the most important steps of all:

  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed.
  • Use hard passwords and never reuse the same password at multiple sites.
  • If you are using Remote Desktop Services, do not connect it directly to the Internet. Instead make it accessibly only via a VPN.

For a complete guide on ransomware protection, you visit our How to Protect and Harden a Computer against Ransomware article.
 

Related Articles:

The Week in Ransomware - September 21st 2018 - Beer, Airports, & Dharma

Gamma, Bkp, & Monro Dharma Ransomware Variants Released in One Week

Romanian Woman Admits Involvement in Hacking Attack On Washington Police Computers

The Week in Ransomware - September 14th 2018 - Kraken, Dharma, & Matrix

New Fox Ransomware Matrix Variant Tries Its Best to Close All File Handles

IOCs

Hash:

SHA256: 2220f804dcfc86a2529b6f36d6f23da4baaaba964ed7daed9f427b372fede18b

Associated Files:

%AppData%\[ransomware_file_name].exe
%AppData%\Info.hta
FILES ENCRYPTED.txt

Associated Registry Entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ransomware_file_name].exe" "%AppData%\[ransomware_file_name].exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run %AppData%\Roaming\Info.hta" mshta.exe "%AppData%\Roaming\Info.hta"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run [ransomware_file_name].exe" "%AppData%\[ransomware_file_name].exe"

Brrr Dharma Ransomware FILES ENCRYPTED.txt Ransom Note:

all your data has been locked us
You want to return?
write email paydecryption@qq.com

Brrr Associated Emails:

paydecryption@qq.com

Brrr Dharma Ransomware INFO.hta Ransom Note:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paydecryption@qq.com
Write this ID in the title of your message [id]
In case of no answer in 24 hours write us to theese e-mails:paydecryption@qq.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. 
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.) 
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price. 
https://localbitcoins.com/buy_bitcoins 
Also you can find other places to buy Bitcoins and beginners guide here: 
http://www.coindesk.com/information/how-can-i-buy-bitcoins/ 
Attention!
Do not rename encrypted files. 
Do not try to decrypt your data using third party software, it may cause permanent data loss.