I wrote this article to help you remove Dharma Ransomware. This Dharma Ransomware removal guide works for all Windows versions.

Dharma ransomware is a typical win-locker. The rogue program was recently discovered by malware researchers. Upon doing thorough analysis on Dharma ransomware, experts concluded that it is quite similar to CrySiS ransomware. This win-locker was decrypted several days ago. The developers who managed to crack the virus published the decryption keys online. As a result, CrySiS ransomware was rendered virtually useless. When taking this event into consideration, the numbers add up. The cyber criminals lost their source of income, so they were forced to make changes to the malignant program. We can only suppose that Dharma ransomware is in fact a reincarnation of CrySiS ransomware. Since win-lockers are illegal programs, the only way to know that a given virus is a later version of another infection is if the hackers have made an official statement. This is usually mentioned in the disclosure for the win-locker.

Dharma ransomware locks files using asymmetric cryptography. The clandestine program employs a combination of AES and RSA ciphers. The AES technology produces a public key which executes the encryption. Dharma ransomware targets text documents, graphics, databases, archives, audios, videos and other file types. The insidious program appends a custom extension to the names of the encrypted items. Two separate versions of Dharma ransomware have been distinguished to date. The extensions they add are .[bitcoin143@india.com].dharma and .[worm01@india.com].dharma. The RSA cipher is used to generate and encrypt a private key which the hackers store on a remote command and control (C&C) server. During the encryption, the explorer.exe process could become unresponsive.

Upon completing the encryption, Dharma ransomware drops a ransom note on the desktop. The file is titled README.txt. It explains the situation to the victims. The message states that the system is not protected, but the problem can be fixed. The user needs to contact the owners of Dharma ransomware in order to receive instructions on how to restore his files and bring his machine back to normal. The hackers have provided their email address as a form of contact. The account is included in the custom extension we mentioned above. If you send them an inquiry, they will respond by informing you what their demands are. They require users to pay a ransom. We do not know how much the amount is, but we know how the transaction needs to be handled. The owners of Dharma ransomware ask victims to transfer the requested sum in bitcoins. This cryptocurrency allows the recipient to prevent his identity and his coordinates from being exposed.

The most common way for Dharma ransomware to penetrate your computer is via a spam email. The secluded program can hide behind an attachment, like a MS Office document, a .pdf, a .txt, an image, an archive or a zipped folder. The sender behind the fake message will make the file seem important. He can state that it is a piece of relevant documentation, like a postal receipt, a bank statement, a fine for a minor violation, a utility bill or a notice from the legal authorities. A spammer can misrepresent various entities, like national posts, courier firms, banks, government institutions, police departments and district courts. To proof the reliability of a given email, check the available contacts. They should match the coordinates of the represented organization. You can visit its official website for references.

The other propagation vector for Dharma ransomware is bundling. The furtive program uses freeware applications as download clients. It merges its setup file with the host tool and tries to attain the user’s permission for getting installed in parallel with it. The win-locker will be inserted as a bonus program and selected per default. You have to locate where the option is mentioned in the terms and conditions and unmark it. It is crucial to read the end user license agreement (EULA) of the programs you intend to add to your system. To have all options listed, select the custom or advanced installation mode. The best way to avoid contacting malware is by doing research on your programs and sources of choice.

Dharma Ransomware Uninstall

Method 1: Restore your encrypted files using ShadowExplorer
Usually, Dharma Ransomware deletes all shadow copies, stored in your computer. Luckily, the ransomware is not always able to delete the shadow copies. So your first try should be restoring the original files from shadow copies.

1. Download ShadowExplorer from this link: http://www.shadowexplorer.com/downloads.html.
2. Install ShadowExplorer
3. Open ShadowExplorer and select C: drive on the left panel
4. Choose at least a month ago date from the date field
5. Navigate to the folder with encrypted files
6. Right-click on the encrypted file
7. Select “Export” and choose a destination for the original file

Method 2: Restore your encrypted files by using System Restore

1. Go to Start –> All programs –> Accessories –> System tools –> System restore
2. Click “Next“
3. Choose a restore point, at least a month ago
4. Click “Next“
5. Choose Disk C: (should be selected by default)
6. Click “Next“. Wait for a few minutes and the restore should be done.

Method 3: Restore your files using File Recovery Software
If none of the above method works, you should try to recover encrypted files by using File Recovery Software. Since Dharma Ransomware first makes a copy of the original file, then encrypts it and deletes the original one, you can successfully restore the original, using a File Recovery Software. Here are a few free File Recovery Software programs:

1. Recuva
2. Puran File Recovery
3. Disk Drill
4. Glary Undelete