July 5, 2021 — Acronis

Threat analysis: Dharma (CrySiS) ransomware

Cyber Protect Cloud


  • Dharma has been known since 2016 as the CrySiS ransomware family
  • Dharma employs a ransomware-as-a-service (RaaS) model
  • The analyzed sample was discovered in early March 2021, and contains the debug string c:\crysis\release\pdb\payload.pdb — pointing to CrySiS as the parent ransomware family
  • This variant of Dharma ransomware appends a .biden file extension

Attack vector

Dharma ransomware (a.k.a. CrySiS) is used in targeted attacks, and is delivered by cybercriminals manually through Remote Desktop Protocol (RDP) connections, typically by exploiting leaked or weak credentials.

Deobfuscation and runtime linking

Once launched, the malware uses the RC4 encryption algorithm to decrypt strings with the names of the imported functions. The RC4 key size is 128 bytes:


The decrypted strings are used to obtain the addresses of imported functions during runtime linking.

The same encryption algorithm (RC4) is used to decrypt the strings necessary for code execution.


To start its process as 32-bit on any platform, Dharma disables redirection of the file system to WOW64 using the procedure Wow64DisableWow64FsRedirection().

The malware then copies its original file to the Windows %System% folder, preserving the original file name:


To automatically start on system boot, Dharma specifies the path to its file in the autorun key of the system registry:


<original_file.name>.exe = %System%\<original_file_name>.exe


<original_file.name>.exe = %System%\<original_file_name>.exe

It also reads the values ​​of the “Startup” parameter of the following keys in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]

and determines the path to the Startup folder. Then, it copies its original file there:

%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\<original_file_name>.exe

Next, Dharma determines the name of another Startup folder by reading the value of the parameter “Common Startup” in the following keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]

And copies its file to this folder:

%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\<original_file_name>.exe


Dharma creates mutexes with the following names to ensure that only one instance of ransomware is running in the system:



Dharma determines the Windows version. If the version is lower than Windows Vista, the malware exits. It also checks for the presence of the mutexes mentioned above. If no mutexes have been created, it exits.

To unlock database files, Dharma first attempts to stop the following database services:

  • FirebirdGuardianDefaultInstance
  • FirebirdServerDefaultInstance
  • sqlwriter
  • mssqlserver
  • sqlserveradhelper

It also tries to stop any processes with the following names:

  • 1c8.exe
  • 1cv77.exe
  • outlook.exe
  • postgres.exe
  • mysqld-nt.exe
  • mysqld.exe
  • sqlservr.exe

After that, the ransomware starts cmd.exe and sends the command through a pipe that sets the “Windows-1251” code page. Dharma also deletes file backups (Shadow Copies) using the vssadmin tool.

mode con cp select = 1251 

vssadmin delete shadows / all / quiet


Dharma performs the following actions in separate threads:

  • Searches and terminates processes, as well as stops the services described earlier.
  • Gets a serial number of a system disk using the function GetVolumeInformationW(). Next, the hash is calculated for the serial number using SHA1 algorithm — the resulting hash is used as a key for RC4 encryption.

  • Encrypts files in four threads.
  • Performs a recursive search for files on all logical drives and checks if they are located in %WinDir%.
  • Searches for all available network resources and tries to encrypt files in public shares:

File encryption

Dharma first receives a list of files on the victim's computer for encryption, excluding the ones in %WinDir%. The ransomware also skips the files with the following names and extensions:









File encryption is performed with AES-256 in CBC mode using a 256-bit encryption key as well as a 128-bit initialization vector, which are generated separately for each file. Key generation is done using pseudo-random values based on the current timestamp, SHA1 hashing, and RC4 algorithm.

To load the master public RSA key, Dharma decrypts the modulus and exponent values ​​from its body.

RSA modulus:

Exponent: 65537 (0x10001)

The RSA_pub_key_new() function is then used to import the master public RSA key:

The generated 256-bit file key (AES) is encrypted with the master public 1024-bit key (RSA).

Presumably, SHA1 hashing is used to verify the integrity of the loaded RSA key data.

Dharma encrypts files with the following extensions:

 .1cd, .3ds, .3fr, .3g2, .3gp, .7z, .accda, .accdb, .accdc, .accde, .accdt, .accdw, .adb, .adp, .ai, .ai3, .ai4 , .ai5, .ai6, .ai7, .ai8, .anim, .arw, .as, .asa, .asc, .ascx, .asm, .asmx, .asp, .aspx, .asr, .asx ;. avi, .avs, .backup, .bak, .bay, .bd, .bin, .bmp, .bz2, .c, .cdr, .cer, .cf, .cfc, .cfm, .cfml, .cfu, .chm, .cin, .class, .clx, .config, .cpp, .cr2, .crt, .crw, .cs, .css, .csv, .cub, .dae, .dat, .db, .dbf , .dbx, .dc3, .dcm, .dcr, .der, .dib, .dic, .dif, .divx, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm ;. dotx, .dpx, .dqy, .dsn, .dt, .dtd, .dwg, .dwt, .dx, .dxf, .edml, .efd, .elf, .emf, .emz, .epf, .eps, .epsf, .epsp, .erf, .exr, .f4v, .fido, .flm, .flv, .frm, .fxg, .geo, .gif, .grs, .gz, .h, .hdr, .hpp , .hta, .htc, .htm, .html, .icb, .ics, .iff, .inc, .indd, .ini, .iqy, .j2c, .j2k, .java, .jp2, .jpc ;. jpe, .jpeg, .jpf, .jpg, .jpx, .js, .jsf, .json, .jsp, .kdc, .kmz, .kwm, .lasso, .lbi, .lgf, .lgp, .log, .m1v, .m4a, .m4v, .max, .md, .mda, .mdb, .mde, .mdf, .mdw, .mef, .mft, .mfw, .mht, .mhtml, .mka, .mkidx , .mkv, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mpv, .mrw, .msg, .mxl, .myd, .myi, .nef, .nrw, .obj ;. odb, .odc, .odm, .odp, .ods, .oft, .one, .onepkg, .onetoc2, .o pt, .oqy, .orf, .p12, .p7b, .p7c, .pam, .pbm, .pct, .pcx, .pdd, .pdf, .pdp, .pef, .pem, .pff, .pfm, .pfx, .pgm, .php, .php3, .php4, .php5, .phtml, .pict, .pl, .pls, .pm, .png, .pnm, .pot, .potm, .potx, .ppa , .ppam, .ppm, .pps, .ppsm, .ppt, .pptm, .pptx, .prn, .ps, .psb, .psd, .pst, .ptx, .pub, .pwm, .pxr ;. py, .qt, .r3d, .raf, .rar, .raw, .rdf, .rgbe, .rle, .rqy, .rss, .rtf, .rw2, .rwl, .safe, .sct, .sdpx, .shtm, .shtml, .slk, .sln, .sql, .sr2, .srf, .srw, .ssi, .st, .stm, .svg, .svgz, .swf, .tab, .tar, .tbb , .tbi, .tbk, .tdi, .tga, .thmx, .tif, .tiff, .tld, .torrent, .tpl, .txt, .u3d, .udl, .uxdc, .vb, .vbs, .vcs, .vda, .vdr, .vdw, .vdx, .vrp, .vsd, .vss, .vst, .vsw, .vsx, .vtm, .vtml, .vtx, .wb2, .wav, .wbm, .wbmp, .wim, .wmf, .wml, .wmv, .wpd, .wps, .x3f, .xl, .xla, .xlam, .xlk, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xps, .xsd, .xsf, .xsl, .xslt, .xsn, .xtp, .xtp2, .xyze, .xz, .zip

When encrypting a file, Dharma creates a new file named according to the following structure:


For example:


The structure of the encrypted file:

If the size of the encrypted file is more than 1 MB, the file is partially encrypted. The ransomware encrypts only three chunks of 0x40000 bytes.

Ransom note

Dharma extracts ransom notes from itself and saves them in Startup folders:

%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

The note appears as follows:

Dharma also creates a text file in the root folder of the system drive:


with the following content:

Detection by Acronis

The Dharma ransomware is successfully detected by Acronis.


Unfortunately, the employed encryption scheme with symmetric (AES-256-CBC) and asymmetric encryption (RSA-1024) doesn’t leave victims a chance of decrypting the files without paying a ransom. Dharma ransomware establishes persistence by copying itself to Startup folders and adding references to the autorun keys, and it terminates database processes and services in order to unlock database files. These techniques help attackers to enact more serious damage on infected systems.


MD5: 36f3b91b2a6a25482768e7d2879d1f1d

SHA-1: f3333282887287bafa487c211cfda4cbe88c4811


SHA-256: e3ed533612d8066345c6fe7831a4db770ba3a2c5833bad0f27abe545eefaceb8