New iteration of the notorious Dharma ransomware discovered using Bip extension
Researchers have uncovered what appears to be a new variant of the notorious Crysis/Dharma ransomware that attaches the .Bip extension to encrypted files. Ransomware researcher Michael Gillespie first tweeted about the new file-encrypting malware this week that was uploaded to his ID-Ransomware site this week. Malware analyst and threat intelligence team lead at Avast, Jakub Kroustek, later confirmed some newly discovered samples were a new variant of the ransomware.
In the past, attackers distributed the ransomware by hacking Remote Desktop Services and manually installing it. However, the distribution method for the new variant is still unknown.
After the ransomware is installed, it scans the computer for data files to encrypt and locks them down, appending them with a .bip extension. All shadow volume copies on the computer are also deleted to prevent the victim from using recovering unencrypted files from shadow memory.
The ransomware also encrypts mapped network drives, shared virtual machine host drives and unmapped network shares if the network shares are not protected with access permissions.
Two ransom notes are created on the computer - one of which is the Info.hta file that is automatically launched by an autorun when the user logs in. The second named FILES ENCRYPTED.txt is located on the desktop. Both ransom notes request the victims to email the attacker to get further payment instructions and demand the victim pay up in Bitcoin.
Every time the victim logs in to his computer, the ransomware starts automatically and encrypts any new files created. Bleeping Computer notes that there is currently no way for victims affected by the Bip ransomware to decrypt their files for free, except through a backup or attempt to recover them through Shadow Volume copies if the ransomware failed to delete them.