Po Ransomware Expands Dharma Family


A newly discovered ransomware named Po is the latest strain to join the already large family of ransomware clones based on the Dharma ransomware.

Po works as expected for a ransomware variant, encrypting files on the victim system. Encrypted files receive a multi-part extension containing the victim's ID string, the email used by the ransomware operator and the ".po" extension. This will make a file formerly named "document.txt" transform into "document.txt.id string.[recovery2022@tutanota.com].Po" once it has been encrypted.

Affected files include the majority of document, archive, media and database file types.

Once encryption completes, the ransomware drops a plain-text version of its ransom note inside a file named "info.txt" and also displays a pop-up window containing its ransom demands.

The ransom note in full goes as follows:



Don't worry, you can return all your files!

If you want to restore them, write to the mail: recovery2022 at tutanota dot com YOUR ID -

If you have not answered by mail within 12 hours, write to us by another mail:mr.helper at gmx dot com


We recommend you contact us directly to avoid overpaying agents

Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

August 3, 2022