A new Dharma ransomware variant has been spotted in the wild. Dubbed Blm ransomware, the new threat is very dangerous as it is designed to corrupt data, delete backup files, and extort ransom payments from victims.
What is Blm Ransomware
Blm is a new member of the Dharma ransomware family. It is designed to encrypt data and demand payment from the user for its decryption. Once installed, Blm scans its host device user-generated data and looks for files the victim would find valuable, including documents, pictures, databases, and spreadsheets. Blm uses strong AES encryption algorithms to lock the target data and prevent the user from accessing it.
It’s easy to spot files encrypted by Blm as the virus renames them. The ransomware follows a simple pattern: it keeps the original file name and extension, then adds a victim's ID ".id-[ransom numbers and letters unique for each individual victim]" and finishes the name with the ".blm" extension. For example, a file named "example.docx" will be renamed to "example.docx.id-hjIOiK8687568.[email@example.com].blm."
Once the encryption process is completed, the ransomware will create a ransom note called "FILES ENCRYPTED.txt." Additionally, it will open a pop-up window that contains the same information as the text file.
Blm uses a rather deceptive ransom note. It informs the victim that their data has been encrypted "due to a security problem" with their devices. Although that statement is technically true, a victim who is not aware of ransomware threats and how they operate could conclude that the ransom note is a legitimate message from their security provider.
Ransom note text:
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail firstname.lastname@example.org
Write this ID in the title of your message -
In case of no answer in 24 hours write us to theese e-mails:email@example.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
Also you can find other places to buy Bitcoins and beginners guide here:
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
The ransom note instructs the victim to contact the ransomware operators via the firstname.lastname@example.org email address.
Victims are encouraged to contact the criminals within 24 hours. Otherwise, the price to recover their files will increase.
As there are many cases where the criminals are unable to decrypt files corrupted by their own ransomware threats, Blm's operators offer to decrypt one file to prove they are capable of restoring the files. However, their "generous" offer has limiting conditions. The victims can send one small file (1MB or less) that doesn't contain important information. This condition excludes all databases, large spreadsheets, backups, and more.
Additionally, the note warns the victim not to rename the encrypted files, as well as to refrain from using third-party decryption tools as such action will increase the price for decryption.
Currently, there are no third-party decryption tools for Blm ransomware. However, victims are advised against paying the ransom. Doing this does not guarantee results as the criminals will not ignore the victims once the ransom is paid.
Victims can use backups stored on the cloud and external devices to restore their data. Of course, the ransomware must be completely removed before file-recovery operations are attempted. Otherwise, the threat could infect the backup device. Not to mention that it will encrypt the newly recovered files.
How Blm Ransomware Infects Its Victims
Dharma developers have established an effective and profitable ransomware-as-a-service (RaaS) business model. As long as they can guarantee results, anyone willing to invest some time and money can buy a version of the malware and use it in individual operations.
Blm fits right into this pattern. Its operators, who likely lack the technical skill to develop malware, entered into a business relationship with malware developers to spread the threat as wide as possible.
To reach a broad spectrum of victims, criminals rely on mass-distribution techniques such as spam campaigns, pirated software, and trojans. The key to their success is their victims' naivety and carelessness.
Therefore, experts advise caution. Your vigilance can prevent most cyber infections. A reliable antivirus app could also help you protect your PC from threats.