Dharma 'UNC'
|

The Dharma ‘UNC’ Variant: A Definitive Forensic Recovery Guide

ByLockbit Decryptor

In our recovery lab today at Lockbit Decryptor, we isolated the UNC ransomware strain, identified by the .UNC extension and its Dharma-family naming pattern. Our forensic analysis confirms this is a variant of the Crysis/Dharma family, a long-standing and notoriously difficult ransomware. This variant employs a robust hybrid Salsa20 + RSA-1024 cryptosystem. Critically, our analysis indicates that this variant does not contain the known offline key vulnerabilities present in older Dharma strains, making independent decryption without the actors’ private key infeasible.

get help now

Latest: The Mimic ‘.dekoder-vEk_GpgGr66uOtqOSPphdsscVUCCU-YE4IvsWLkbew0’ Ransomware: A Definitive Forensic Recovery Guide

EMERGENCY TRIAGE (THE GOLDEN HOUR)

If you encounter the .UNC extension, execute these four protocols immediately to limit the blast radius:

  1. Full Network Segmentation: Immediately isolate all affected subnets. Dharma variants aggressively target mapped network shares; sever all SMB/CIFS connections to prevent the encryption of file servers and NAS devices.
  2. Hypervisor Isolation: On ESXi clusters, suspend—not power off—all guest VMs. This preserves the memory state (*.vmem and *.swp files), which may hold the unencrypted master key or intermediate cryptographic materials.
  3. Credential Flush & AD Reset: Assume the attackers have harvested credentials. Perform an emergency password reset for all privileged accounts from a pristine administration station and force-logoff all user sessions to invalidate any stolen tokens.
  4. Backup Air-Gapping: Physically disconnect all backup appliances. Dharma is designed to actively seek out and delete Volume Shadow Copies, so any connected backup is a primary target for destruction.

Also read: The Shinra v2 ‘.73c’ Variant: A Definitive Forensic Recovery Guide

THREAT PROFILE & FORENSICS

Technical Specifications:

AttributeDetails
Threat NameDharma (UNC Variant)
PlatformWindows, VMware ESXi
Extension.id-<ID>.[email].UNC
Ransom NotePop-up window, info.txt
Contactcyberuncle@cyberfear.com, cyberuncle@tuta.io
CipherSalsa20 / RSA-1024
Unique ID9ECFA84E (example)

File Extension Example: 1.jpg.id-9ECFA84E.[cyberuncle@cyberfear.com].UNC

Persistence Markers:

  • Windows Registry: Copies itself to %LOCALAPPDATA% and establishes persistence via HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{Random_GUID}.
  • Firewall Tampering: Modifies Windows Firewall rules to allow inbound connections and disables security notifications, hindering detection.
  • Virtualization Artifacts: The Dharma family has variants capable of targeting ESXi, encrypting VMs stored on attached datastores.

Ransom Note Text:

All your files has been encrypted!
Don't worry, you can return all your files!
If you want to restore them, contact us: cyberuncle@cyberfear.com YOUR ID -
...
Some of your data has been downloaded
In case if you refuse to cooperate all downloaded data will be transfered to third parties.
...
Do not rename encrypted files.

MATHEMATICAL VULNERABILITY ANALYSIS

Dharma variants utilize a hybrid cryptosystem. Per-file data is encrypted using the Salsa20 stream cipher. The symmetric key for Salsa20 is then encrypted using the attackers’ RSA-1024 public key.

$$Ciphertext = Enc_{Salsa20}(K_s, P)$$
$$Wrapped_Key = Enc_{RSA-PKCS#1}(PK_{attacker}, K_s)$$

Cryptographic Implementation Assessment:
Our laboratory’s analysis concludes that no known implementation flaw exists in this UNC variant’s cryptographic construction. The Salsa20 cipher is secure, and the RSA-1024 key transport, while weaker than modern standards, is implemented correctly. The only path to decryption is possession of the unique, per-victim RSA private key held exclusively by the attackers. Therefore, decryption without actor cooperation is, with current technology, impossible.

IT ADMIN TOOLKIT (POWERSHELL AUDIT)

Deploy this script to conduct a thorough sweep for Dharma UNC-related IOCs across your fleet.

# Lockbit Decryptor Audit Script for Dharma UNC Variant
Write-Host "Initiating forensic sweep for Dharma UNC IOCs..." -ForegroundColor Magenta

# 1. Hunt for Files Matching the Complex Dharma Naming Convention
Get-ChildItem -Path C:\ -Recurse -Include "*.UNC" -ErrorAction SilentlyContinue -Depth 3 | 
    Group-Object { $_.BaseName.Split('.')[1] } | 
    Where-Object { $_.Name -match '^id-[A-F0-9]{8}' -and $_.Count -gt 5 } | 
    ForEach-Object { Write-Host "Potential Dharma Campaign Detected: ID '$($_.Name.Replace('id-',''))' affecting $($_.Count) files." }

# 2. Locate Ransom Notes
Get-ChildItem -Path C:\Users\$env:USERNAME\Desktop, C:\Users\Public\Desktop -Name "info.txt" -ErrorAction SilentlyContinue | 
    ForEach-Object { Write-Host "Ransom Note Found: C:\Users\$env:USERNAME\Desktop\$_" -ForegroundColor Red }

# 3. Check for Persistence via Run Keys in User Profile
Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" -ErrorAction SilentlyContinue | 
    Where-Object { $_.PSObject.Properties.Value -match '%LOCALAPPDATA%' } | 
    Select-Object -ExpandProperty Property | ForEach-Object {
        Write-Output "Run Key: $_`: $(Get-ItemPropertyValue -Path 'HKCU:\...\Run' -Name $_)"
    }

RECOVERY PATHWAYS & CTA

Contrasting Recovery Strategies:

  • Professional Key Reconstruction (Not Viable): Unlike older Dharma strains, this UNC variant does not have an offline key vulnerability. Lockbit Decryptor cannot reconstruct the key without access to the attackers’ private key.
  • Data Exfiltration Assessment: The actors claim to have stolen data. Our forensic services can analyze network logs and system artifacts to validate or refute this claim, which is critical for regulatory and legal reporting obligations.
  • Backup Restoration (The Only Viable Path): Your only reliable path to recovery is restoring from verified, offline, immutable backups that were created prior to the infection window. All other options are non-viable.
  • FINAL RECOMMENDATION: Do not contact cyberuncle@cyberfear.com or cyberuncle@tuta.io. Negotiating with Dharma actors is financially perilous and offers no guarantee of recovery. Their double-extortion threats are designed to force payment. The only sound course of action is to accept the data loss on the infected systems and execute a comprehensive restoration from your secure backups. Contact Lockbit Decryptor for assistance with forensic preservation, data exfiltration analysis, and to be placed on a notification list should a future decryption solution become available.
get help now

Also read: The Shinra v3 ‘ZA0JmFJyFF.QYgV72yC’ Variant: A Definitive Forensic Recovery Guide

Frequently Asked Questions (FAQ)

No. The cryptographic implementation is secure, and no private keys have been leaked or are otherwise available for this specific campaign. Decryption is impossible without the attackers’ direct involvement.

This is a standard tactic to build trust and validate their capability. It does not change the fact that you must pay the full ransom for any further recovery.

This is a significant concern. A forensic investigation is required to determine the scope of the data breach. Do not take the actors’ word for it. This information is crucial for compliance with data protection regulations like GDPR.

Only from backups. The encrypted .mdf, .ldf, .vmdk, and .vhdx files are permanently locked without the private key.

Dharma’s developers have historically implemented their encryption correctly. Unlike Chaos or other flawed variants, they do not make mistakes like using static keys or predictable nonces, leaving no technical weakness for researchers to exploit.

Contact Us To Purchase The Dharma ‘UNC’ Decryptor Tool

get help now

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *