Remove Harma virus. How to restore .harma files.

What is Harma file

The .harma extension is a file extension that is used by the Harma ransomware belonging to the Crysis/Dharma family to mark files that have been encrypted. Harma ransomware is a malicious program that encrypts user files and demands a ransom for a key-decryptor pair that is necessary to decrypt the affected files. It uses a strong encryption system and a long key, which virtually eliminates the possibility of decrypting files without a key. Files encrypted with .harma extension become useless, their contents cannot be read without the key that the criminals have.

What is Harma ransomware virus

Harma ransomware is one of the variants of Dharma/Crysis ransomware. The most common source of infection is cracked apps and games, torrents files, freeware, Windows and Microsoft Office activators, and other similar software. Upon execution, it encrypts files using a key that is individual for each computer. Harma uses a very strong encryption system, which eliminates the possibility of determining the key, even using a super computer. The encryption process is very fast, regardless of what is in the file, the virus can easily encrypt it. Harma ransomware can encrypt almost all files that are on the computer, including those located on network drives. The only thing that the virus does not encrypt is the files that are necessary for the Windows OS to function normally. Below we list some types of files that can be encrypted by the ransomware:

.wm, .pdf, .css, .wp6, .svg, .png, .bc7, .docx, .wire, .desc, .xlsb, .wot, .itl, .map, .m4a, .wpw, .fsh, .ods, .hvpl, .cer, .dbf, .wp7, .wdb, .xf, .bkf, .xlk, .wma, .wgz, .psd, .x3f, .xbplate, .syncdb, .odc, .odt, .db0, .fpk, .wpd, .sr2, .d3dbsp, .srw, .z, .dwg, .dba, .accdb, .sb, .wb2, .cfr, .xls, .docm, .xwp, .litemod, .kdb, .wcf, .wps, .ncf, .esm, .wp4, .ppt, .pst, .xdl, .dxg, .wmv, .zw, .yal, .wpd, .jpeg, .1st, .nrw, .webp, .odp, .jpe, .menu, .cr2, .rtf, .iwd, .itdb, .mdf, .zip, .xlsm, .dcr, .forge, .txt, .hkdb, .blob, .arch00, .indd, .lvl, .cdr, .der, .fos, .pef, .webdoc, .xls, .3dm, .ai, .srf, .pem, .rim, .sql, .wmd, .hplg, .raf, .3fr, .xbdoc, .xlsm, .rgss3a, .qdf, .y, .wsd, .wpg, .sidd, .slm, .mrwref, .sidn, .dmp, .gho, .wmv, .xdb, .xlgc, .wotreplay, .gdb, .pptm, .jpg, .rar, .csv, .xmmap, .wdp, .qic, .mlx, .epk, .dng, .arw, .js, .wsc, .vfs0, .xld, .pak, .raw, .x3d, .erf, .mp4, .wbk, wallet, .ntl, .z3d, .xlsx, .mov, .zdb, .7z, .wbmp, .zdc, .ltx, .t13, .ybk, .wbz, .xmind, .vpk, .xar, .zi, .orf, .xyw, .3ds, .xy3, .ptx, .snx, .pkpass, .ibank, .xxx, .bsa, .odb, .vdf, .lbf, .iwi, .rwl, .bay, .bar, .tax, .lrf, .xll, .cas, .sid, .kf, .p7c, .ysp, .m2, .xyp, .ztmp, .crw, .wpt, .asset, .wpe, .sav, .wmf, .wpl, .zif, .upk, .dazip, .sie, .zabw, .wbm, .py, .r3d, .wp, .rw2, .pdd, .apk, .avi, .itm, .crt, .2bp, .ws, .psk, .t12, .mef, .w3x, .bkp, .layout, .1, .p7b, .0, .xlsx, .wmo, .wpb, .x3f, .wp5, .wps, .xpm, .wav, .doc, .rb, .bc6, .yml, .rofl, .wbc, .hkx, .mdb, .m3u, .wbd, .eps, .p12, .mpqge, .pptx, .sis, .tor, .mcmeta, .odm, .kdc, .ff, .xx, .vcf, .wri, .flv, .icxs, .mddata, .wsh, .re4, .vpp_pc, .wma, .zip, .bik, .wn

When a file is encrypted, ‘.id-USERID.[EMAIL-ADDRESS].harma’ is added at the end of its name, that is, if you had a file of ‘document.docx’, then a file with the name ‘document.docx.id-USERID.[EMAIL-ADDRESS].harma’ will appear in its place. If you change the file name, just delete the added extension, then nothing will change. The file will remain encrypted, and as before, this file will not be possible to open in the program with which it is associated.

Currently, there are already about 34 variants of the Harma ransomware, which differ in the extension appended to the encrypted files:

• .[Qb777@tutanota.com].harma
• .[mr_shox@protonmail.com].harma
• .[Client9522@tutanota.com].harma
• .[coronalocker@cock.li].harma
• .[WTF2000@cock.li].harma
• .[newdecrypt@protonmail.com].harma
• .[wang_team1111@aol.com].harma
• .[filesdecrypt@aol.com].harma
• .[r4ns0m@tutanota.com].harma
• .[Dharm727@gmx.de].harma
• .[support25@cock.li].harma
• .[RdpLock@protonmail.com].harma
• .[getfilesback@airmail.cc].harma
• .[hatmatdat@protonmail.com].harma
• .[Petya20@tuta.io].harma
• .[COV-ID19@tuta.io].harma
• .[TheRevenant13@tuta.io].harma
• .[crypt0r1@protonmail.com].harma
• .[decryptionby@cock.li].harma
• .[Sansatsuo@protonmail.com].harma
• .[aroshany@protonmail.com].harma
• .[rdphelp@tutanota.com].harma
• .[support48@cock.li].harma
• .[savemydata@qq.com].harma
• .[MerlinWebster@aol.com].harma
• .[Unlock96@protonmail.com].harma
• .[whitwellparke@aol.com].harma
• .[hobbsadelaide@aol.com].harma
• .[hmdjam@protonmail.com].harma
• .[marjut56@cock.li].harma
• .[woodson.rosina@aol.com].harma
• .[bitcoin1@foxmail.com].harma
• .[ecnrypt98@cock.li].harma
• .[sumpterzoila@aol.com].harma
• .[filesopen@protonmail.com].harma
• .[dorejadid1@protonmail.com].harma
• .[Harmahelp73@gmx.de].harma
• .[ban.out@foxmail.com].harma

Perhaps you found on your computer or its desktop a new file called ‘FILES ENCRYPTED.txt’, which for some reason is not encrypted. An example of such a file is given below.

This file is very important, in addition to containing a ransom demand, it also contains information that allows you to contact intruders. According to the message, the victim is invited to contact the attackers using the given email address. In response, the authors of the virus will give a Bitcoin address to which the ransom must be transferred. Of course, you should understand that there is no guarantee that the attackers, after receiving the ransom, will provide you with the key necessary to decrypt your files. In addition, by paying the ransom, you will push attackers to create a new ransomware.

The contents of the FILES ENCRYPTED.txt file:

all your data has been locked us
You want to return?
write email EMAIL-ADDRESS

Threat Summary

Name	Harma ransomware, Harma file virus
Type	Filecoder, Ransomware, Crypto malware, File locker, Crypto virus
Encrypted files extension	.harma
Ransom note	FILES ENCRYPTED.txt
Contact	Qb777@tutanota.com, mr_shox@protonmail.com, Client9522@tutanota.com, decfile1@protonmail.com, coronalocker@cock.li, LockedFiles@Tutanota.com, WTF2000@cock.li, newdecrypt@protonmail.com, wang_team1111@aol.com, filesdecrypt@aol.com, r4ns0m@tutanota.com, Dharm727@gmx.de, support25@cock.li, RdpLock@protonmail.com, getfilesback@airmail.cc, hatmatdat@protonmail.com, Petya20@tuta.io, COV-ID19@tuta.io, TheRevenant13@tuta.io, crypt0r1@protonmail.com, decryptionby@cock.li, Sansatsuo@protonmail.com, aroshany@protonmail.com, rdphelp@tutanota.com, support48@cock.li, savemydata@qq.com, MerlinWebster@aol.com, Unlock96@protonmail.com, whitwellparke@aol.com, hobbsadelaide@aol.com, hmdjam@protonmail.com, marjut56@cock.li, woodson.rosina@aol.com, bitcoin1@foxmail.com, ecnrypt98@cock.li, sumpterzoila@aol.com, filesopen@protonmail.com, dorejadid1@protonmail.com, Harmahelp73@gmx.de, ban.out@foxmail.com
Ransom amount	$500-$1500 in Bitcoins
Detection Names	Ransom:Win32/Crusis.080f4355, Trojan.Ransom.Crysis.E, Win32:RansomX-gen [Ransom], TrojWare.Win32.Crysis.D@6sd9xy, Trojan.Encoder.3953, A Variant Of Win32/Filecoder.Crysis.P, Trojan-Ransom.Crysis, W32/Crysis.W!tr.ransom, Ransom:Win32/Wadhrama, Ransom/W32.crysis.94720
Symptoms	Your files fail to open. Odd, new or missing file extensions. Files named like ‘FILES ENCRYPTED.txt’, ‘READ-ME’, ‘_open me’, _DECRYPT YOUR FILES’ or ‘_Your files have been encrypted” in every folder with an encrypted file. Ransom note in a pop-up window with cybercriminal’s ransom demand and instructions.
Distribution methods	Spam mails that contain malicious links. Drive-by downloads from a compromised website. Social media posts (they can be used to entice users to download malicious software with a built-in ransomware downloader or click a suspicious link). Remote desktop protocol (RDP) hacking.
Removal	Harma ransomware removal guide
Decryption	Harma File Recovery Guide

 

The full text of the message that appears in the Harma popup window:

All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail EMAIL-ADDRESS
Write this ID in the title of your message XXXXXX
In case of no answer in 24 hours write us to theese e-mails:EMAIL-ADDRESS
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.

Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

As we have already said, Harma is not the first ransomware belonging to the Crysis/Dharma family. The fact that to date, antivirus companies have not created a way to decrypt files, and just have not found a 100% way to protect the user’s computers, indicates the complexity of the ransomware and the method that it uses to encrypt files. Nevertheless, you do not need to despair. There are several ways to detect and remove Harma ransomware, and there is also a chance to restore part or even all encrypted files to their original state. Below we will describe in detail how to do this.

How to remove Harma ransomware, Restore .harma files

If your files have been encrypted with ‘.harma’ extension, then first of all you need to remove Harma ransomware and be 100% sure that there is no active ransomware on your computer, and then proceed to restore the files. Both the ransomware removal process and the file recovery process will take a lot of time, so do not believe the magical instructions that say that this can be done very quickly. We definitely recommend, even if for some reason one of the methods proposed below did not suit you, try another one and try all of them. Perhaps one of them will help you. Feel free to ask questions in the special section on our website or in the comments below. And the last, before proceeding with the instructions, we advise you to read it thoroughly carefully, and then print or open it on a tablet or smartphone to have it always at hand.

1. How to remove Harma ransomware virus
2. How to decrypt .harma files
3. How to restore .harma files
4. How to protect your PC from Harma ransomware

How to remove Harma ransomware virus

First you need to remove the Harma ransomware autostart entries before decrypting and recovering encrypted files. Another option is to perform a full scan of the computer using antivirus software capable of detecting and removing ransomware infection.

It is very important to scan the computer for malware, as security researchers found that spyware could be installed on the infected computer along with the Harma ransomware. Spyware is a very dangerous security threat as it is designed to steal the user’s personal information such as passwords, logins, contact details, etc. If you have any difficulty removing Harma ransomware, then let us know in the comments, we will try to help you.

To remove Harma ransomware, use the steps listed below:

• Kill Harma ransomware
• Disable Harma ransomware Start-Up
• Scan computer for malware

Kill Harma ransomware

Press CTRL, ALT, DEL keys together.

Click Task Manager. Select the “Processes” tab, look for something suspicious that is the Harma ransomware then right-click it and select “End Task” or “End Process” option.

A process is particularly suspicious: it is taking up a lot of memory (despite the fact that you closed all of your programs, its name is not familiar to you (if you are in doubt, you can always check the program by doing a search for its name in Google, Yahoo or Bing).

Disable Harma ransomware Start-Up

Select the “Start-Up” tab, look for something similar to the one shown in the example below, right click to it and select Disable.

Close Task Manager.

Scan computer for malware

Zemana Anti Malware (ZAM) can find all kinds of malware, including ransomware, as well as a variety of Trojans, viruses and rootkits. After the detection of the Harma crypto malware, you can easily and quickly delete it.

Download Zemana Free from the link below.

Once the downloading process is complete, close all applications and windows on your machine. Double-click the set up file called Zemana.AntiMalware.Setup. If the “User Account Control” dialog box pops up as displayed in the following example, click the “Yes” button.

It will open the “Setup wizard” which will help you install Zemana Anti Malware on your machine. Follow the prompts and don’t make any changes to default settings.

Once install is finished successfully, Zemana will automatically start and you can see its main screen as displayed in the figure below.

Now press the “Scan” button for scanning your PC system for the Harma ransomware virus, other malicious software, worms and trojans. During the scan Zemana will locate threats present on your system.

After Zemana Anti Malware (ZAM) has completed scanning, Zemana Anti Malware will create a list of unwanted programs and crypto malware. All found items will be marked. You can remove them all by simply click “Next” button. The Zemana AntiMalware (ZAM) will start to delete Harma ransomware virus related folders,files and registry keys. Once that process is finished, you may be prompted to reboot the machine.

In order to be 100% sure that the computer no longer has the Harma crypto malware, we recommend using the Kaspersky virus removal tool (KVRT). KVRT is a free removal tool for crypto malware, worms, spyware, trojans, adware software, PUPs and other malware.

Download Kaspersky virus removal tool (KVRT) on your machine from the link below.

Once the download is complete, double-click on the Kaspersky virus removal tool icon. Once initialization procedure is done, you’ll see the KVRT screen as displayed below.

Click Change Parameters and set a check near all your drives. Press OK to close the Parameters window. Next click Start scan button to detect the Harma ransomware and other known infections. A scan can take anywhere from 10 to 30 minutes, depending on the count of files on your computer and the speed of your system.

Once KVRT has completed scanning your PC system, a list of all items detected is created as on the image below.

Review the scan results and then click on Continue to start a cleaning task.

How to decrypt .harma files

All files with the ‘.harma’ extension are encrypted. Their contents cannot be unlocked simply by removing this extension or completely changing the filename. Unfortunately, as we already reported in this article, there is currently no way to decrypt files. The reason for this is the complexity of the encryption algorithm that the authors of Harma virus use. In principle, this is what the attackers sought. But this does not mean that you have no choice and you need to pay a ransom for your files.

Never pay the ransom! Every security expert will tell you this over and over. Of course, there is a chance that by paying a ransom, Harma virus authors will allow you to unlock your files, but there is no guarantee. Moreover, you should understand that when you pay a ransom, you unknowingly push the attackers to create new, even more destructive viruses.

Do not forget that besides you, thousands more people around the world have lost their files, that is, you are not alone. Antivirus companies, security experts are working on something that will allow you to decrypt .harma files. Perhaps in the future an universal method will be developed that will allow all victims to unlock all their data.

Of course, as soon as a way to decrypt the files appears, we will post a message about this to this article or to our facebook account. Therefore, we recommend that you follow the updates.

How to restore .harma files

As we wrote above, you cannot decrypt files encrypted with Harma ransomware. But you can use a different way, there is a small chance to restore .harma files without decrypting them. Programs created for searching and recovering lost and deleted data can help you with this. We recommend you to use the following free programs: PhotoRec and ShadowExplorer. Two more things we want to say about. First, before restoring files, you must be 100% sure that there is no ransomware on the computer. We recommend using free malware removal tools that we examined in this article. Second, and what is very important! The less you use your computer after ransomware infection, the higher the chance that you will be able to recover encrypted files.

Recover .harma files using Shadow Explorer

First of all, try to recover your files using a free tool called ShadowExplorer. This program will allow you to recover your files from Shadow Volume Copies. These copies are created automatically by the OS when you work with your files. Unfortunately, very often, the virus automatically deletes all these copies and thus prevents the user from recovering encrypted files. Nevertheless, in some cases, the ransomware cannot delete all copies, and the user gets the opportunity to quickly restore all files. Therefore, our opinion, you should definitely try this method!

First, visit the following page, then click the ‘Download’ button in order to download the latest version of ShadowExplorer.

Once the downloading process is done, extract the downloaded file to a directory on your computer. This will create the necessary files as displayed on the screen below.

Start the ShadowExplorerPortable program. Now select the date (2) that you wish to restore from and the drive (1) you want to recover files (folders) from as shown in the figure below.

On right panel navigate to the file (folder) you want to recover. Right-click to the file or folder and click the Export button as shown below.

And finally, specify a folder (your Desktop) to save the shadow copy of encrypted file and press ‘OK’ button.

This video step-by-step guide will demonstrate How to recover encrypted files using Shadow Explorer.

Restore .harma files with PhotoRec

Another really working way to recover your encrypted files is to use a program named PhotoRec. It is created to recover deleted or lost files. Does the Harma ransomware block this method? Fortunately, the ransomware cannot block this method of recovering the contents of encrypted files. The more you used (moved, deleted, modified) files before infection, the greater the chance that you will be able to recover them.

Download PhotoRec on your Microsoft Windows Desktop by clicking on the link below.

When the downloading process is finished, open a directory in which you saved it. Right click to testdisk-7.0.win and select Extract all. Follow the prompts. Next please open the testdisk-7.0 folder like below.

Double click on qphotorec_win to run PhotoRec for Microsoft Windows. It’ll display a screen as shown in the following example.

Choose a drive to recover as displayed on the image below.

You will see a list of available partitions. Choose a partition that holds encrypted files as displayed in the following example.

Press File Formats button and choose file types to recover. You can to enable or disable the restore of certain file types. When this is done, press OK button.

Next, click Browse button to choose where recovered documents, photos and music should be written, then press Search. We strongly recommend that you save the recovered files to an external drive.

Count of restored files is updated in real time. All restored files are written in a folder that you have selected on the previous step. You can to access the files even if the restore process is not finished.

When the recovery is finished, click on Quit button. Next, open the directory where recovered files are stored. You will see a contents as on the image below.

All restored personal files are written in recup_dir.1, recup_dir.2 … sub-directories. If you’re searching for a specific file, then you can to sort your recovered files by extension and/or date/time.

This video step-by-step guide will demonstrate How to recover encrypted files using PhotoRec.

How to protect your PC from Harma ransomware

Most antivirus software already have built-in protection system against the crypto malware. Therefore, if your system does not have an antivirus application, make sure you install it. As an extra protection, run the HitmanPro.Alert. All-in-all, HitmanPro.Alert is a fantastic tool to protect your PC from any ransomware. If ransomware is detected, then HitmanPro.Alert automatically neutralizes malware and restores the encrypted files. HitmanPro.Alert is compatible with all versions of Microsoft Windows OS from Windows XP to Windows 10.

HitmanPro Alert can be downloaded from the following link. Save it on your Microsoft Windows desktop.

Once the downloading process is done, open the folder in which you saved it. You will see an icon like below.

Double click the HitmanPro.Alert desktop icon. After the tool is started, you’ll be displayed a window where you can choose a level of protection, as displayed on the image below.

Now click the Install button to activate the protection.

Finish words

This guide was created to help all victims of the Harma ransomware virus. We tried to give answers to the following questions: how to remove ransomware; how to recover .harma files. We hope that the information presented in this manual has helped you.

If you have questions, then write to us, leaving a comment below. If you need more help with Harma related issues, go to here.