Gnik Ransomware is a Vicious Clone of Dharma

ransomware

There is a new Dharma ransomware clone in the wild, as spotted by security researchers. The new variant is called the Gnik ransomware.

Gnik does nothing out of the ordinary when it comes to ransomware. It encrypts most files found on the system and appends new, long-form extensions to encrypted files. The new extension consists of the victim's ID string, the email used to contact the ransomware operator and the ".gnik" string.

This means that a file that was called "photo.jpg" will turn into "photo.jpg.id-[alphanumeric string].[king2022@msgden.com].gnik" once it has been encrypted.

Affected files include media, documents and databases as well as most archive file types.

The ransomware deposits its random demands inside a pop-up window and a plain text file called "info.txt". The pop-up window, which is the more verbose of the two, contains the following text:

YOUR FILES ARE ENCRYPTED

1024

Don't worry, you can return all your files!

If you want to restore them, write to the mail: king2022 at msgden dot com YOUR ID

If you have not answered by mail within 12 hours, write to us by another mail:king2022 at onionmail dot com

ATTENTION!

We recommend you contact us directly to avoid overpaying agents

Do not rename encrypted files.

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

September 14, 2022