Dharma

Dharma is advanced ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files, and demands a payment to restore access to lost information.

Type
Ransomware
Origin
Unknown
First seen
24 August, 2017
Last seen
26 January, 2023
Global rank
33
Week rank
16
Month rank
19
IOCs
432

What is Dharma ransomware?

Dharma is a ransomware-type malware. A malicious program that encrypted files and demands a ransom to restore information. Dharma, a member of the CrySIS family, has been around since August 2017, targeting organizations such as hospitals. It managed to earn attackers over $25 million in ransom payments.

General description of Dharma ransomware

Dharma is considered to be advanced ransomware that uses powerful encryption. As a new variant of the CrySIS family, it was first spotted in the wild in 2017. It was operated by an unknown cyber gang who managed to remain mostly in the shadows to this day. CrySIS was offered as a RaaS (Ransomware-as-a-Service), meaning that “clients” could use it, if they purchased the ransomware from the attackers. This means that those who purchase the malware carry out the actual attacks rather than original creators.

Threat actors changed the name over to Dharma after decryption keys for CrySIS were leaked in late 2016. That was the first, but not the only time somebody published the decryption keys, but it was the only time attackers renamed the malware and re-branded the product.

Some researchers believe that Dharma is one of the most popular RaaS malware out there right now. The popularity of this ransomware is partly due to the constant updates that attackers have been rolling out throughout the years it was active.

In fact, there were instances where three new versions of the malware were reported during the same week. In addition, Dharma proved to be very adaptive, changing distribution channels as the underground community moved from mass spam emails to more targeted attacks in 2018 and 2019.

Another part that contributed to the popularity of Dharma is its flexibility. Although the ransom amount is usually set to one Bitcoin, it can be customized depending on the victim profile. This means that for smaller organizations that can’t pay this much (mind you, Bitcoin cost almost 20,000 USD in 2017), the payment amount can be lowered.

Although not unique to this malware, this flexibility and customization greatly enhanced its effectiveness. In fact, the FBI named Dharma the second most profitable ransomware operation.

Now, despite all of the above, Dharma has never really been available to the general public. The only places it could be found were inconspicuous underground forums. At least, until recently.

In late 2019, the source code of Dharma was observed being put for sale for 2,000 USD.

This made many researchers worried, as some predicted that putting the source code for sale will result in somebody uploading it to the public internet. If ransomware as advanced as Dharma gets in the hands of a mass audience, we can be up for a lot of trouble.

It should also be noted that in 2019 researchers reported new ransomware called Phobos, which has almost the same code as Dharma. Although some speculated that this could be another rebranding, Dharma samples are still constantly being found about as often as instances of Phobos malware use.

Dharma malware analysis

A video recorded in the ANY.RUN interactive malware hunting service shows how the execution of this ransomware unfolds from the victim’s point of view.

raccoon_process_graph

Figure 1: Displays the execution process of the Dharma ransomware This graph was generated by ANY.RUN.

raccoon_process_graph

Figure 2: Displays the Dharma ransomware ransom note

Dharma ransomware execution process

The execution process of the Dharma ransomware is relatively typical for this type of malware such as WannaCry. After the executable file makes its way into an infected system and runs, the main malicious activity begins. After the start of execution, the ransomware deletes shadow copies. After it encrypts all targeted files, Dharma drops a ransom note on the desktop.

Dharma ransomware distribution

Dharma has been observed using multiple distribution methods, but the following three are the most common.

  • Targeted emails with malicious attachments or links.
  • Use of compromised legitimate software, often antiviruses.
  • Targeted campaigns that abuse the RDP protocol.

Out of the three distribution channels, spam email campaigns are the most straightforward. It is also how threat actors relied on the most during the first years of malware operation, launching widespread campaigns and relying on sheer numbers of potential recipients.

However, as users and organizations become more educated about the dangers of cyberattacks, spam emails lose effectiveness. Dharma operators quickly adapted and restored to the other two methods for payload delivery.

Another method that Dharma is known to use is utilizing real compromised software. For example, some attacks involved targeted email campaigns that contained a download link. What made these attacks stand out is that upon clicking the link, the payload would be downloaded along with a compromised legitimate program. The program then would launch an installer designed to direct the victim's attention while the executable file is running in the background.

Finally, the last common distribution method is through the use of compromised RDP. RDP is a protocol developed by Microsoft used to establish a connection between multiple PCs over a network. It’s a completely legitimate protocol that technicians use to carry out remote technical support, among other uses. However, if a session becomes compromised, it gives hackers the ability to download and execute the malicious file as long as they have access to the remotely connected PC.

Conclusion

Dharma is dangerous ransomware. Since 2017 its popularity has been only growing, and continued use indicates that members of the underground hacking community see it as a reliable option. Given that even the FBI considers Dharma to be one of the most effective malware in its class, it’s no wonder that this malware is in demand.

However, even more, worrying is that despite all the attention that Dharma has been getting over the years, creators of this ransomware managed to evade researchers and evolve the ransomware along the way continually.

Although decryptors do exist for some versions of Dharma, the only reason they could be created is that somebody from the inside leaked master keys. Apart from these instances, little progress has been made to crack the encryption algorithm used by Dharma.

And now, with the source code appearing for sale, we run the risk of it popping up on the global Internet, which can spawn a new, massive wave of Dharma attacks.

Keeping this in mind, researchers should take time to study Dharma behavior to prepare for potential attacks carefully. Thankfully, ANY.RUN provides all the necessary tools to carry out Dharma analysis in a secure online environment.

IOCs

IP addresses

No IP adresses found

Hashes
6fb303dd8ba36381948127d44bd8541e4a1ab8af07b46526ace08458f2498850
276727bfacdeba0ba864fd6ccecab5fd0f244576dc503d7cf148a4deb90fc136
94ef44e3f7be172fb47203eb942e4601f1a96cb4bfd37e055fd6cf39b5db49a6
dc5ba84e57cf8d8dfcb8fb2de6f842786428fc46c34d8a3e02c8119bbd9f7584
622e2834e51caa303d120c7503d8fcce671226a0342d7be0f8cf546b44cee195
4c21b335baf9907cfaec588f25354b804b3d59f3882d923fbaf0d929b933ef49
b6b2c1f4bbe4259e0279a0c3db98a69db12ab6ae0b549085c714f1497f3c8300
865af11d703f1110a383d82de39a2dea734eaa3ac5592d335f4ca4f9095e0621
6f64d864d4cdeaa6062e44e34c0969ebdead56edb22e5a2b61c987ca3400fad4
d5ed2464066877a0982c623b1a86c344841b06698399b73a9db72965d731f459
d23b814326fba49df8a183e5adf5377ccdfdf5c290c7f51f34482c58cba33c84
6b1f4df924fb0e5067df18dfc5063d409f3bf2ee0d14b381b3f583e0d0da3ae5
a53b335801487698d859b2b862ddeb6d111adcc9d4a177037de6bb41adfc0b5c
1409d5e9aa4ffef4a502d46324e0072a025ae104348091ee2a66af8fcd692029
3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608
e0d1bc534899364c71d48fe6b3983da34223688831ad8336369f81e3536d4ab2
141043cebebde233ff9e5e003079dcdd3eda14b4785b6917dffbe5966fe77a82
5cec86494711c0700e876922ad52c7aec3caabecd7a2577ce4a7f0cd40b0aa31
0a03332f47831f7ba1a67df3ba0d65df9dfc4f233fd845d798a1f4f728965364
c2ab289cbd2573572c39cac3f234d77fdf769e48a1715a14feddaea8ae9d9702
Domains

No hashes found

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control the PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server.
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information, including passwords and credit card details, as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Cobalt Strike screenshot
Cobalt Strike
cobaltstrike
Cobalt Strike is a legitimate penetration software toolkit developed by Forta. But its cracked versions are widely adopted by bad actors, who use it as a C2 system of choice for targeted attacks.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy