Dharma vs Karma


Its neither a new movie nor an upcoming sitcom,  its all about the new variants of Ransomware spreading in the wild. However, at the time of writing this blog-post, there doesn’t seem to be any relationship between the authors of these two Ransomware. Moreover, in past few days we have seen a rise in the number of variants of Ransomware, which makes us believe :

1: Skiddies have entered into the Ransomware market.
2: Open-source Ransomware eg. Hidden-tear are being used to learn the tricks / tips of the trade.
3: Ransomware Creation tool-kits or Ransomware As a Service might have been made available in underground networks and hopefully, one of the friendly security / malware researcher finds it.
4: Affiliate Networks for spreading Ransomware are on the rise.

Dharma Ransomware
Like all the other Ransomware, this one too encrypts a select set extensions in the below mentioned format.

Extension : .dharma
Pattern   : filename.ext.[emailid].dharma

The sample which was detected by eScan’s PBAE technology tried to encrypt files using [mr_lock@mail.com].dharma extension.

Karma Ransomware
Similar to Dharma Ransomware, Karma doesn’t add an email-id in the file-extension , it simply uses the .karma. Moreover karma disguises itself as a Windows Optimization Program called Windows Tune-Up utility. Moreover, its a part of the Pay-Per-Install software monetization schema and un-suspecting victims in order to grab a free software might end-up getting infected by Karma.

Extension : .karma
Pattern   : filename.ext.karma

Earlier, we were used to Fake Anti-viruses luring users with fake reports and then convincing the user to download and install their “Better than the Best Antivirus Solution”, Karma Ransomware creators/distributors are following the same track , since this is no longer an exclusive market , a market which which earlier ruled by the elite programmers.

Angler EK (Exploit Kit) used to distribute Locky , however in coming days we may observe a substantial rise in various Exploit Kits making a comeback with Ransomware being their major Payload, along with the other capabilities viz. stealing information, passwords etc. However, merging these Ransomware Infected systems into a botnet is not possible due to various practical reasons, viz. after the system gets infected, all the user can do is to either format the system or pay the ransom and the first thing which users do after getting infected is to isolate the infected system.

Usage of botnets to carry out Ransomware infection attacks by brute-forcing their way into the systems and exploiting vulnerabilities to gain execution privilege doesn’t seem an improbable notion. We have to simply wait and watch.

PBAE Technology has protected eScan users from Dhrama Ransomware, Karma Ransomware and all the other known Ransomware. Those users who haven’t yet updated eScan to the latest version should do so  immediately.

To know more about PBAE Technology, you may download it from here.

This entry was posted in eScan 11, eScan 14, MailScan, Security and tagged , , , , , , , , , , , , , , . Bookmark the permalink.

4 Responses to Dharma vs Karma

  1. Manish says:

    Hi this virus has impacted my Database.
    Virus has renamed the extension [mr_lock@mail.com].dharma
    I wanted to decrpyt it.

    Like or Dislike: Thumb up 0 Thumb down 0

    • Jeba kumar says:

      Hi Manish, Kindly contact eScan technical support team to resolve your issue on toll-free no – 1800 267 2900 or you can also mail them on support@escanav.com

      Like or Dislike: Thumb up 0 Thumb down 0

  2. Ezequiel Argentina says:

    Hi, Manish, i had the same issue last week. Any News abot the decrypter tool?

    Many Thanks

    Like or Dislike: Thumb up 0 Thumb down 0

  3. Pingback: Security Warnings: Black Friday & Cyber Monday

Comments are closed.