Bip Dharma Ransomware Variant Released into the Wild

Today, Michael Gillespie noticed what appeared to be a new variant of the Crysis/Dharma Ransomware uploaded to his ID-Ransomware site. Jakub Kroustek then discovered some samples to confirm that it was indeed a new Dharma variant. This new version will append the .Bip extension to encrypted files. It is not known exactly how this variant is being distributed, but in the past Dharma is typically spread by hacking into Remote Desktop Services and manually installing the ransomware.

When the Bip ransomware variant is installed, it will scan a computer for data files and encrypt them. When encrypting a file it will append an extension in the format of .id-[id].[email].bip. For example, a file called test.jpg would be encrypted and renamed to test.jpg.id-BCBEF350.[Beamsell@qq.com].bip.

It should be noted that this ransomware will encrypt mapped network drives, shared virtual machine host drives,  and unmapped network shares. So it is important to make sure your network’s shares are locked down so that only those who actually need access have permission.

The other note is called FILES ENCRYPTED.txt and can be found on the desktop.

It is not possible to decrypt the Dharma Bip Ransomware Variant

Unfortunately, at this time there is no way to decrypt files encrypted by the Bip Ransomware variant for free.

The only way to recover encrypted files is via a backup, or if you are incredibly lucky, through Shadow Volume Copies. Though Dharma does attempt to remove Shadow Volume Copies, in rare cases ransomware infections fail to do so for whatever reason. Due to this, if you do not have a viable backup, I always suggest people try as a last resort to restore encrypted files from Shadow Volume Copies as well.

Why is this important? Well as we know Thailand is slower than most in patching and also rather sloppy at policies and security in the infrastructure.

This is spreading around business via email and to be honest going through some antispam solutions like a knife through warm butter.

 

Thanks to bleeping computer for the main history.

 

Latest Blogs

AA18-337A: SamSam Ransomware

Original release date: December 03, 2018 Summary The Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) and the Federal Bureau of Investigation (FBI) are issuing this […]


TA18-331A: 3ve – Major Online Ad Fraud Operation

Original release date: November 27, 2018 Systems Affected Microsoft Windows Overview This joint Technical Alert (TA) is the result of analytic efforts between the Department of Homeland Security (DHS) and […]


AA18-284A: Publicly Available Tools Seen in Cyber Incidents Worldwide

Original release date: October 11, 2018 Summary This report is a collaborative research effort by the cyber security authorities of five nations: Australia, Canada, New Zealand, the United Kingdom, and […]


TA18-276B: Advanced Persistent Threat Activity Exploiting Managed Service Providers

Original release date: October 03, 2018 Systems Affected Network Systems Overview The National Cybersecurity and Communications Integration Center (NCCIC) is aware of ongoing APT actor activity attempting to infiltrate the […]


TA18-276A: Using Rigorous Credential Control to Mitigate Trusted Network Exploitation

Original release date: October 03, 2018 Systems Affected Network Systems Overview This technical alert addresses the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by […]


About Humanit

humanit is an IT support company focused on providing the very best IT support for small to medium sized businesses in Chon Buri Thailand. Our customers range from award winning estate agents right through to factories in Amata city. Our passion is our customers. That’s right. It’s not the technologies, but we get a love helping out our customers issues and providing them with the technology to enable their company to grow. What makes our customers happy do I hear you ask? Take a look at our testimonials page and see for yourself.