A new malicious campaign emerged that conveyed the Dharma ransomware mostly target toward Italian users. The latter, also called CrySIS Ransomware, appeared for the first time in 2016 and over time has evolved into different variations and is increasingly active. As usual, Dharma is distributed as a malicious attachment in emails. In this case, the user receives an e-mail with the subject "Invoice no. 637 of 14.01.20", a link is attached to the e-mail which if clicked will take you to a OneDrive page to download a zip file called "New 2.zip document" containing two files:
a VBS script "New 2.vbs document'
an informed jpg file called "yuy7z"
If the user runs the "New 2.vbs document" VBS , several malware payloads will be installed. Furthermore, as reported by the researchers, the ransomware adds the .ROGER extension to the encrypted files and in the ransom note invites the user to contact the address sjen6293@gmail.com to receive payment information.