.bgtx Files Virus (Dharma Ransomware) – Remove + Restore Data

.bgtx Dharma Virus – Infection Methods

Dharma ransomware is no ordinary virus, hence it uses no ordinary infection methods. The main indicator of compromise that has been detected to drop the malicious files of Dharma is reported at VirusTotal to have the following specifications to it:

SHA-256:7e623dca8a26a45440c331e383ac6ce3783d5c1bd60b91ee91ce0cc5841633e2
File size:219.5 KB

The file may be spread via different methods, but the main suspect is to be replicated via e-mail. This happens when the crooks carefully disguise an e-mail to contain a malicious attachment. Usually most attachments pretend to be .PDF or .docx files and they pose as legitimate files of great importance, for example:

• Order rejection details.
• Invoice for a purchase
• Receipt for something you may have bought.
• Important security document from your bank.
• Document from your boss or a collegue.

These e-mails are carefully made so that they appear to come from big companies, like FedEx, PayPal, LinkedIn or other big companies. Some of the e-mails pretend as If they come from a reputable person or someone on your e-mail list of contacts. The messages always urge to open the attachment as it is “very important”:

Furthermore, .bgtx Dharma virus is also detected to use a very complicated infection method, attaching russian-speaking tarets and disguising messages as some form of accounting information. The contents of the e-mails appear as if senders send some type of spreadsheet or data information that is important. The files are always attached to the message and if not, they are linked to an external Dropbox or other file-sharing account.

The crooks are also able to deliver archived files, which do contain files that pretend to be documents. When opened, they may automatically initiate connection with the payload download server or extract the payload of Dharma directly on the victim PC.

In addition to this, the .bgtx variant of Dharma ransomware may also be spread via different programs that are uploaded on low-reputation sites, such as software cracks, patches, license activators, loaders, portable versions of freeware apps and many other .exe files, so be careful and always check files before downloading them.

Dharma .bgtx Ransomware- Malicious Activity

Dharma ransomware viruses have been active for significant time and they have gained quite the name for themselves as being one of the most widespread ones. They derive from the CrySiS ransomware family with the first Dharma variant, naturally carrying the .dharma file suffix it used to append to the files and the variant itself was decryptable. But the Dharma makers did not stop there and have now released a lot of other variants of the malware, most of which are not decryptable. Some of these variants can be seen below:

• Dharma .wallet variant.
• Dharma .arena variant.
• Dharma .cezar variant(used to make this version).
• Dharma .arrow variant.
• Dharma .onion version.
• Dharma .java virus.
• Dharma .block variant.
• Dharma .cobra variant.
• Dharma .bip variant (latest before .combo)
• Dharma v2 variant (a strange one).

And now we come to this point, where the current Dharma variant uses the .bgtx file extension which it ads to the encrypted files alongside a new e-mail address.

After an infection with the .bgtx Dharma variant occurs, not much is changed in the malicious actions the virus performs on your computer:

• Creation of several mutexes.
• Creating value strings with custom data in Windows Registry Editor.
• Deleting bakckups and shadow copy files.
• Scheduling tasks to run maliciou files or it’s ransom note on startup.
• Disabling restore points and system recovery.
• Changing your wallpaper.
• Modifying sysem files (touching).

Dharma .bgtx ransomware may also drop it’s malicious files under different, often random names in the commonly targeted Windows directories:

When Dharma ransomware has dropped it’s files, the malware also interferes with the Windows Registry Editor by creating registry value entries in the Run and RunOnce sub-keys of Windows Registry Editor. They have the following location:

→ HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\

When Dharma .bgtx variant creates value strings in those sub-keys, the virus adds the location of the encryption file, so finding them is a crucial step towards finding where the malicious file of the malware is located.

Dharma .bgtx ransomware may also execute a script as an administrator in Windows Command Prompt. The script aims to delete the shadow volume copies in Windows and disable any backups. It may consist of the following commands:

→ sc stop VVS
sc stop wscsvc
sc stop WinDefend
sc stop wuauserv
sc stop BITS
sc stop ERSvc
sc stop WerSvc
cmd.exe /C bcdedit /set {default} recoveryenabled No
cmd.exe /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
C:\Windows\System32\cmd.exe” /C vssadmin.exe Delete Shadows /All /Quiet

Dharma .bgtx Ransomware Virus – Encryption

When Dharma ransomware encrypts files, the virus may employ the Advanced Encryption Standard, also known as AES. The cipher uses an asymmetric key generation which produces a key that is then masked and cannot be read by the victim. The algorithm is a very tough one to decrypt as it’s classified as a Suite.B type of cipher, used by government agencies to encrypt files that are sensitive. The cipher could however be decrypted if there is a bug in the code of Dharma .bgtx that allows it do be done.

The encryption process of Dharma .bgtx ransomware begins with scanning for the specific file types the virus will encrypt. These file types include often used files, such as files with the following extensions:

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRFEncodedFiles .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJR.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”

Dharma ransomware may skip encrypting files in the folders we mentioned below, as they are system folders of Windows and the victim still needs his or her computer to pay the ransom:

• %Local%
• %Temp%
• %Windows%
• %System%
• %Program Files%
• %System32%

The encryption process itself comprises of several chain of actions that take place. To sum those up, Dharma simply creates a copy of your original file, which it encrypts and adds the .bgtx file extension plus a unique ID and the e-mail of the crooks(decrypt@fros.cc). Dharma ransomware then deletes the original file, leaving only the encrypted file, looking like the image below shows: