GRIDINSOFT HELP CENTER

Crysis (Dharma) Ransomware: What it is, how it spreads via RDP, and how to recover safely

What it is

Crysis (also known as Dharma) is ransomware that sneaks in through exposed or weak Remote Desktop Protocol (RDP) access, then encrypts documents, photos, and databases and asks for a ransom to unlock them. Active since 2016, it’s still used because it’s fast, noisy, and effective. Learn more in our 
Crysis/Dharma threat guide

How it gets in

  • Open or poorly protected RDP (guessable passwords, no MFA)

  • Stolen credentials bought on underground markets

  • Unpatched servers and reused admin passwords

What you may notice

  • Files won’t open and gain new extensions

  • Ransom notes dropped across many folders

  • Security tools disabled; sudden CPU/disk spikes on servers

If it hits (act fast)

  1. Isolate affected machines (unplug/disable Wi-Fi; disconnect mapped drives).

  2. Preserve ransom notes and logs—don’t wipe evidence.

  3. Check offline backups; rebuild on clean images and restore data.

  4. Rotate admin/domain passwords from a clean device; close RDP to the internet.

  5. Engage IR/IT teams; consider reporting to authorities.

Prevent it

  • Remove or lock down RDP (VPN + MFA, allowlisted IPs, non-default ports).

  • Patch OS/apps; disable unused remote access.

  • Enforce MFA and least privilege for admins.

  • Use reputable EDR/anti-malware and email/web filtering.

  • Keep offline, tested backups and practice restores.

    Helpful?

    Glossary (A-Z)

    Still can’t find an answer?

    Send us a ticket and we will get back to you.

    Submit a ticket