BLACK FRIDAY: 2-for-1 offer NOVEMBER 20 - 26 See details
35
Global rank
57
Month rank
60
Week rank
169
IOCs

Dharma is advanced ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files, and demands a payment to restore access to lost information.

Ransomware
Type
Unknown
Origin
24 August, 2017
First seen
17 November, 2023
Last seen

How to analyze Dharma with ANY.RUN

Type
Unknown
Origin
24 August, 2017
First seen
17 November, 2023
Last seen

IOCs

Hashes
12a1a06012cc2dd30cb9645f896f28e6a218140c60fe7b6813c46ed7187c329f
a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e
3056012d6cb364e7c4ef9989b73e3332b85647896a22ec4ac0637a618b1034f9
06c36ed37f23f6b75abe58324adbc0597f71c43f1348869ca4f8eacef0063986
56110a6d5280e08db85c0a8037608bcf9ccc7331b25825b5b79d6e7b8458b7a5
3f382ea030ed56543b3a674c9168aa470aa1e88a51fbbe2d0433d9d629692587
8eaab147015761fe9a58e3e9ff2e01eb413f27450f743029adcd21f6d38f32bf
35ade951e0713f31cbdc4844ea0e7c8ffff795efd6ab7e8d22fad5d3cf87ac0c
55f111fa13c58f4e6eb6f9828621a463944b7de26fa09cff5a38c31f457def7d
4b5b11e64fdf9d164ab4a592ecbf99032ae0ac79aecbf68fe6a59deffb8e6ef3
307077d1a3fd2b53b94d88268e31b0b89b8c0c2ee9dbb46041d3e2395243f1b3
9a3b82637bee2dd3a52a2edb2da207a713e559f67b5db54292fbc7fb2710710c
8503dc118230560d5b577550efa6e07d196b585c183d960daf3e30663a95e20a
23651e9b7cdde798baa8a43eed6bc719c9e4cb4adecef349294b405cab1df9e9
27ed40b071905e823adc801c7939b25f118646692f1461b6ca7d1476858d5001
085105e613ad37808a8db9a3c2ba5561d5d38d5c5c43b469c93d15f0d64af0c1
245f7a3c993a0ecada1c1f8936ea82e8e48812c5758767e5d91db91324bc303a
40a68110241e86f1cdece1dc5a6dfb72e028b40e8d55447cc3a961341b932784
39449ff24fd8d30724ce08d526765c5a6871b9822b098d6b71816760a52e8e13
b3488f0c94f66eb54e10c211e4d3d3dbca567ddee11a3ab84e4cd1956282e390
Last Seen at

Recent blog posts

3 Cybersecurity Events ANY.RUN Attended in No...
watchers 140
comments 0
5 malware threats we discovered in the wild i...
watchers 343
comments 0
RisePro Malware Analysis: Exploring C2 Commun...
watchers 2312
comments 0

What is Dharma ransomware?

Dharma is a ransomware-type malware. A malicious program that encrypted files and demands a ransom to restore information. Dharma, a member of the CrySIS family, has been around since August 2017, targeting organizations such as hospitals. It managed to earn attackers over $25 million in ransom payments.

General description of Dharma ransomware

Dharma is considered to be advanced ransomware that uses powerful encryption. As a new variant of the CrySIS family, it was first spotted in the wild in 2017. It was operated by an unknown cyber gang who managed to remain mostly in the shadows to this day. CrySIS was offered as a RaaS (Ransomware-as-a-Service), meaning that “clients” could use it, if they purchased the ransomware from the attackers. This means that those who purchase the malware carry out the actual attacks rather than original creators.

Threat actors changed the name over to Dharma after decryption keys for CrySIS were leaked in late 2016. That was the first, but not the only time somebody published the decryption keys, but it was the only time attackers renamed the malware and re-branded the product.

Some researchers believe that Dharma is one of the most popular RaaS malware out there right now. The popularity of this ransomware is partly due to the constant updates that attackers have been rolling out throughout the years it was active.

In fact, there were instances where three new versions of the malware were reported during the same week. In addition, Dharma proved to be very adaptive, changing distribution channels as the underground community moved from mass spam emails to more targeted attacks in 2018 and 2019.

Another part that contributed to the popularity of Dharma is its flexibility. Although the ransom amount is usually set to one Bitcoin, it can be customized depending on the victim profile. This means that for smaller organizations that can’t pay this much (mind you, Bitcoin cost almost 20,000 USD in 2017), the payment amount can be lowered.

Although not unique to this malware, this flexibility and customization greatly enhanced its effectiveness. In fact, the FBI named Dharma the second most profitable ransomware operation.

Now, despite all of the above, Dharma has never really been available to the general public. The only places it could be found were inconspicuous underground forums. At least, until recently.

In late 2019, the source code of Dharma was observed being put for sale for 2,000 USD.

This made many researchers worried, as some predicted that putting the source code for sale will result in somebody uploading it to the public internet. If ransomware as advanced as Dharma gets in the hands of a mass audience, we can be up for a lot of trouble.

It should also be noted that in 2019 researchers reported new ransomware called Phobos, which has almost the same code as Dharma. Although some speculated that this could be another rebranding, Dharma samples are still constantly being found about as often as instances of Phobos malware use.

Dharma malware analysis

A video recorded in the ANY.RUN interactive malware hunting service shows how the execution of this ransomware unfolds from the victim’s point of view.

raccoon_process_graph

Figure 1: Displays the execution process of the Dharma ransomware This graph was generated by ANY.RUN.

raccoon_process_graph

Figure 2: Displays the Dharma ransomware ransom note

Dharma ransomware execution process

The execution process of the Dharma ransomware is relatively typical for this type of malware such as WannaCry. After the executable file makes its way into an infected system and runs, the main malicious activity begins. After the start of execution, the ransomware deletes shadow copies. After it encrypts all targeted files, Dharma drops a ransom note on the desktop.

Dharma ransomware distribution

Dharma has been observed using multiple distribution methods, but the following three are the most common.

  • Targeted emails with malicious attachments or links.
  • Use of compromised legitimate software, often antiviruses.
  • Targeted campaigns that abuse the RDP protocol.

Out of the three distribution channels, spam email campaigns are the most straightforward. It is also how threat actors relied on the most during the first years of malware operation, launching widespread campaigns and relying on sheer numbers of potential recipients.

However, as users and organizations become more educated about the dangers of cyberattacks, spam emails lose effectiveness. Dharma operators quickly adapted and restored to the other two methods for payload delivery.

Another method that Dharma is known to use is utilizing real compromised software. For example, some attacks involved targeted email campaigns that contained a download link. What made these attacks stand out is that upon clicking the link, the payload would be downloaded along with a compromised legitimate program. The program then would launch an installer designed to direct the victim's attention while the executable file is running in the background.

Finally, the last common distribution method is through the use of compromised RDP. RDP is a protocol developed by Microsoft used to establish a connection between multiple PCs over a network. It’s a completely legitimate protocol that technicians use to carry out remote technical support, among other uses. However, if a session becomes compromised, it gives hackers the ability to download and execute the malicious file as long as they have access to the remotely connected PC.

Conclusion

Dharma is dangerous ransomware. Since 2017 its popularity has been only growing, and continued use indicates that members of the underground hacking community see it as a reliable option. Given that even the FBI considers Dharma to be one of the most effective malware in its class, it’s no wonder that this malware is in demand.

However, even more, worrying is that despite all the attention that Dharma has been getting over the years, creators of this ransomware managed to evade researchers and evolve the ransomware along the way continually.

Although decryptors do exist for some versions of Dharma, the only reason they could be created is that somebody from the inside leaked master keys. Apart from these instances, little progress has been made to crack the encryption algorithm used by Dharma.

And now, with the source code appearing for sale, we run the risk of it popping up on the global Internet, which can spawn a new, massive wave of Dharma attacks.

Keeping this in mind, researchers should take time to study Dharma behavior to prepare for potential attacks carefully. Thankfully, ANY.RUN provides all the necessary tools to carry out Dharma analysis in a secure online environment.

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat, and JSocket, is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Amadey screenshot
Amadey
amadey
Amadey is a formidable Windows infostealer threat, characterized by its persistence mechanisms, modular design, and ability to execute various malicious tasks.
Read More
Arkei screenshot
Arkei
arkei stealer
Arkei is a stealer type malware capable of collecting passwords, autosaved forms, cryptocurrency wallet credentials, and files.
Read More
AsyncRAT screenshot
AsyncRAT
asyncrat
AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions.
Read More
WarZone screenshot
WarZone
warzone avemaria stealer trojan rat
WarZone RAT is a remote access trojan, which is written in C++ and offered as a malware-as-a-service. It packs a wide range of capabilities, from stealing victims’ files and passwords to capturing desktop activities. WarZone RAT is primarily distributed via phishing emails and receives regular updates from its C2.
Read More

Our website uses cookies. By visiting the pages of the site, you agree to our Privacy Policy