Dharma malware family has released yet another ransomware – Blm ransomware. The malware encrypts files, adds the [email@example.com].blm extension to encrypted files and drops the FILES ENCRYPTED.txt ransom note.
Blm ransomware is file-encrypting malware that essentially locks files and prevents users from opening them. Ransomware is a serious infection because users are not always able to recover files. Once files are encrypted, a special decryptor is needed to unlock them. The cyber criminals behind the Blm ransomware will try to sell the decryption tool to victims, though the price is not mentioned in the ransom note.
Users will be able to identify the ransomware from the [firstname.lastname@example.org].blm extension added to encrypted files. There will also be a ransom note dropped on the computer, once the encryption is complete. The pop-up note and FILES ENCRYPTED.txt ransom note demand that victims contact the people behind this ransomware by sending an email to email@example.com. The note does not mention how much the decryption tool costs, only that “the price depends on how fast you write to us”. Supposedly, once payment has been made, a decryptor will be sent. However, we suggest users be skeptical. Ransomware operators aren’t exactly reliable, and there’s really not much stopping them from simply taking the money and not sending a decryptor. Many ransomware victims in the past have paid the ransom only to receive nothing in return.
But unfortunately, newer versions of Dharma ransomware are undecryptable at this moment. There is a free decryptor available for older Dharma ransomware versions but it does not work for versions released after 2017. Seeing as someone has leaked Dharma’s master decryption keys in the past, it may happen again. If this does happen, malware researchers and anti-virus vendors would release a free decryptor to help victims. Since it is possible that this may happen, victims who do not have backup should back up encrypted files and wait for a free decryptor.
Users who do have backup can start file recovery as soon as they remove Blm ransomware. If the ransomware still remains when backup is accessed, those backed up files may become encrypted as well.
Is it possible to recover Blm ransomware encrypted files?
As soon as the ransomware is initiated, it will start encrypting files. Once the process is done, users will notice that their files now have a different extension. The extension will contain victims’ unique IDs and [firstname.lastname@example.org].blm. For example, image.jpg -> image.jpg.unique ID.[email@example.com].blm. Users will be unable to open the files with this attachment, until they use the decryptor.
Once files are decrypted, a pop-up ransom note will appear, and a FILES ENCRYPTED.txt note will be dropped. The pop-up note offers more information. The note will display the victim’s unique ID, and the email address of cyber crooks. Users who wish to purchase the decryptor are asked to email firstname.lastname@example.org with their ID. The ransom note does not specify the ransom sum but users would be informed if they contact these cyber crooks.
Here’s the text from the pop-up ransom note:
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail email@example.com
Write this ID in the title of your message –
In case of no answer in 24 hours write us to theese e-mails:firstname.lastname@example.org
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
According to the note, users can decrypt one file for free, supposedly as proof that these cyber crooks can indeed decrypt files. However, users should be aware of the risks before making the decision to pay the ransom. As we said, there are no guarantees that files would indeed be decrypted. Unfortunately, unless users have backup, file recovery is not possible at this time.
Users who get infected with ransomware should find out how exactly infection happened, to prevent it from happening again. In most cases, users pick up ransomware by opening malicious email attachments, downloading torrents, clicking on malicious ads, etc.
When it comes to unsolicited emails with attachments, users should be very careful about opening them. Cyber criminals launch spam email campaigns in order to distribute their malware, and it’s enough for users to open the file for the malware to initiate. Fortunately, emails carrying malware are usually sent from random email addresses and contain loads of grammar/spelling mistakes, so it shouldn’t be difficult for users to notice that something is not right. It’s a good idea to scan email attachments with anti-virus software or VirusTotal.
Downloading torrents and software cracks is also dangerous because both torrents sites and forums are full of malware. They are not regulated properly, which allows cyber crooks to easily upload malware disguised as some kind of popular movie, TV series, game, software, etc.
Blm ransomware removal
Users definitely need to use anti-malware software to remove Blm ransomware from their computers. Unless users know exactly what they’re doing, manual Blm ransomware removal could cause even more damage. Only after the ransomware is gone should users access their backup and start file recovery.
Blm ransomware is detected as:
- Win32:RansomX-gen [Ransom] by Avast/AVG
- A Variant Of Win32/Filecoder.Crysis.P by ESET
- Ransom.Crysis by Malwarebytes
- Trojan-Ransom.Win32.Crusis.to by Kaspersky
- Ransom:Win32/Wadhrama!hoa by Microsoft
- Ransom.Win32.CRYSIS.SM by TrendMicro