Crysis (Dharma) Ransomware: What it is, how it spreads via RDP, and how to recover safely

Crysis (Dharma)

What it is

Crysis (also known as Dharma) is ransomware that sneaks in through exposed or weak Remote Desktop Protocol (RDP) access, then encrypts documents, photos, and databases and asks for a ransom to unlock them. Active since 2016, it’s still used because it’s fast, noisy, and effective. Learn more in our 
Crysis/Dharma threat guide

How it gets in

  • Open or poorly protected RDP (guessable passwords, no MFA)

  • Stolen credentials bought on underground markets

  • Unpatched servers and reused admin passwords

What you may notice

  • Files won’t open and gain new extensions

  • Ransom notes dropped across many folders

  • Security tools disabled; sudden CPU/disk spikes on servers

If it hits (act fast)

  1. Isolate affected machines (unplug/disable Wi-Fi; disconnect mapped drives).

  2. Preserve ransom notes and logs—don’t wipe evidence.

  3. Check offline backups; rebuild on clean images and restore data.

  4. Rotate admin/domain passwords from a clean device; close RDP to the internet.

  5. Engage IR/IT teams; consider reporting to authorities.

Prevent it

  • Remove or lock down RDP (VPN + MFA, allowlisted IPs, non-default ports).

  • Patch OS/apps; disable unused remote access.

  • Enforce MFA and least privilege for admins.

  • Use reputable EDR/anti-malware and email/web filtering.

  • Keep offline, tested backups and practice restores.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • Clop Ransomware

        What it is Clop is big-game ransomware: attackers break into a network, encrypt files, and demand payment to unlock them—often with data theft first to pressure victims (double extortion). It mostly targets Windows environments and larger ...

      • CryptoLocker Ransomware

        What it is CryptoLocker is ransomware that breaks into a Windows PC, hunts for documents (on the computer and connected drives), encrypts them with strong keys, and then demands a payment to unlock your files. You’ll see a ransom note saying your ...

      • BabLock Ransomware

        What it is (in plain words): BabLock is ransomware that breaks into Windows and Linux systems, scrambles (encrypts) your files, and demands payment to unlock them. It typically goes after small and mid-size businesses where one infected PC can ...

      • Cerber Ransomware

        What it is Cerber is ransomware run like a business (“RaaS”). The operators rent the malware to affiliates, who break in, encrypt files, and demand payment—then share the profits with Cerber’s creators. How it spreads Phishing emails with ...

      • Djvu (STOP) Ransomware

        What it is Djvu - also called STOP - is ransomware that breaks into Windows PCs, encrypts your files, and adds new extensions (often .djvu, .stop, or a variant). A note then demands payment in crypto to unlock them. For details and removal tips, see ...