Dharma

Dharma is an advanced Ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files and demands a payment to restore access to lost information.

Type
Ransomware
Origin
Unknown
First seen
24 August, 2017
Last seen
7 August, 2020
Global rank
27
Week rank
22
Month rank
26
IOCs
210

What is Dharma Ransomware?

Dharma is a ransomware-type malware. A malicious program that encrypted files and demands a ransom to restore information. Dharma, a member of the CrySIS family, has been around since august 2017, targeting organizations, such as hospitals, it managed to earn attackers over $25 million in ransom payments.

General description of Dharma Ransomware

Dharma is considered to be advanced ransomware, that uses very strong encryption. As a new variant of the CrySIS family, it was first spotted in the wild in 2017. It was operated by an unknown cyber gang who managed to remain mostly in the shadows to this day. CrySIS was offered as a RaaS (Ransomware-as-a-Service), meaning that “clients” could use it, if they purchased the ransomware from the attackers. Meaning, that it is those that purchase the malware, who carry out the actual attacks, rather than original creators.

Threat actors changed the name over to Dharma after decryption keys for CrySIS were leaked in late 2016. That was the first, but not the only time somebody published the decryption keys, but it was the only time attackers renamed the malware and re-branded the product.

Some researchers believe that Dharma is one of the most popular RaaS malware out there right now. The popularity of this Ransomware is partly due to the constant updates that attackers have been rolling out throughout the years it was active.

In fact, there were instances, where three new versions of the malware were reported during the same week. In addition, Dharma proved to be very adaptive, changing distribution channels as the underground community moved from mass spam emails to more targeted attacks in 2018 and 2019.

Another part that contributed to the popularity of Dharma is its flexibility. Although the ransom amount is usually set to one Bitcoin, it can be customized depending on the victim profile. This means that for smaller organizations that can’t pay this much (mind you, Bitcoin cost almost 20,000 USD in 2017), the payment amount can be lowered.

Although not completely unique to this malware, this flexibility and customization greatly enhanced its effectiveness. In fact, the FBI named Dharma the second most profitable Ransomware operation.

Now, despite all of the above Dharma has never really been available to the general public. The only places it could be found were inconspicuous underground forums. At least, until recently.

In late 2019, the source code of Dharma was observed being put for sale for 2,000 USD.

This made a lot of researchers worried, as some predicted that putting the source code for sale will result in somebody uploading it to the public internet. If ransomware as advanced as Dharma gets in the hands of a mass audience, we can be up for a lot of trouble.

It should also be noted that in 2019 researchers reported new ransomware called Phobos, which has almost exactly the same code as Dharma. Although some speculated that this could be another rebranding, Dharma samples are still constantly being found about as often as instances of Phobos malware use.

Dharma malware analysis

A video recorded in the ANY.RUN interactive malware hunting service shows how the execution of this ransomware unfolds from the victim’s point of view.

raccoon_process_graph

Figure 1: Displays the execution process of the Dharma Ransomware This graph was generated by ANY.RUN.

raccoon_process_graph

Figure 2: Displays the Dharma Ransomware ransom note

Dharma Ransomware execution process

The execution process of the Dharma ransomware is relatively typical for this type of malware. After the executable file makes its way into an infected system and runs, the main malicious activity begins. After the start of execution, the Ransomware deletes shadow copies. After it encrypts all targeted files, Dharma drops a ransom note on the desktop.

Dharma Ransomware distribution

Dharma has been observed using multiple distribution methods, but the following three are the most common.

  • Targeted emails with malicious attachments or links.
  • Use of compromised legitimate software, often antiviruses.
  • Targeted campaigns that abuse the RDP protocol.

Out of the three distribution channels, spam email campaigns are the most straightforward. It is also the way that threat actors relied on the most during the first years of malware operation, launching widespread campaigns and relying on sheer numbers of potential recipients.

However, as users and organizations become more educated about the dangers of cyber attacks, spam emails lose effectiveness. Dharma operators quickly adapted and restored to the other two methods for payload delivery.

Another method that Dharma is known to use is utilizing real compromised software. For example, some attacks involved targeted email campaigns that contained a download link. What made these attacks stand out is that upon clicking the link, the payload would be downloaded along with a compromised legitimate program. The program then would launch an installer designed to direct the attention of the victim, while the executable file is running in the background.

Finally, the last common distribution method is through the use of compromised RDP. RDP is a protocol developed by Microsoft that is used to establish a connection between multiple PCs over a network. It’s a completely legitimate protocol which is used by technicians to carry out remote technical support, among other uses. However, if a session becomes compromised it gives hackers the ability to download and execute the malicious file as long as they have access to the remotely connected PC.

Conclusion

Dharma is dangerous ransomware. Since 2017 it’s popularity has been only growing and continued use indicates that members of the underground hacking community see it as a reliable option. Given the fact that even the FBI considers Dharma to be one of the most effective malware in its class, it’s no wonder that this malware is in demand.

However, even more, worrying is the fact that despite all the attention that Dharma has been getting over the years, creators of this ransomware managed to continually evade researchers and evolve the ransomware along the way.

Although decryptors do exist for some version of Dharma, the only reason that they could be created is because somebody from the inside leaked master keys. Apart from these instances, little progress has been made to crack the encryption algorithm used by Dharma.

And now, with the source code appearing for sale, we run the risk of it popping up in the global internet which can spawn a new, massive wave of Dharma attacks.

Keeping this in mind, researchers should take time to carefully study Dharma behavior to prepare for potential attacks. Thankfully, ANY.RUN provides all the necessary tools to carry out Dharma analysis in a secure online environment.

IOCs

IP addresses

No IP adresses found

Hashes
7570a7a6830ade05dcf862d5862f12f12445dbd3c0ad7433d90872849e11c267
e3065d6aaf2303f708e84b850d33d2588aac5f596c7adf3be727aec94b204b4d
47e569fe14acf461ed5ef997b31ce8d8981aebafce5f83753636ee37555b46e4
4b5b11e64fdf9d164ab4a592ecbf99032ae0ac79aecbf68fe6a59deffb8e6ef3
bc717164f1cbbce6284031dcb99f191d16e9a6eb04130f2fbb1c7c2afeb3d6ba
3ee0dda6d30b857276872f3722b5aeefc04d19541cf957fc7600b84c42a877a9
a49742e72ca26d37e26962ba7f2d929b87ddb6ce07f3304f78e9af499b226281
e7cb48855681fc2655c5e54a0d9ef32a62634614d19dc294d74f22c97ebe47ba
19dcf5de261131333b626b71472d78ea7174d112fb8c85c41ea5f321f2eb0d79
eba0eb8da8fb574e12e48b6435ea6d3b9f849c6219356565bbb5abf1f96b40ba
78e5d4d5371a8676a0f622a3c1d14a26d2f3c0f43e5475913f08caa9fb04616f
9c1020645dbbd7049296ff252c17908e2863a4ab626682469e20de0c35de5912
efb0259e622d73c1d946689b619e6fbeebeac1d59a021bc68e5f64f6c18a3947
7ea826a93c02638b9384d051f8e9dd1f82062e52d3579b0a8432108d654feb6f
42bf836a66b1da8c69e34edacea7cdad3c6678e9ff091de5f5ece0bbc47fd6d2
78c67c0dd37ebb4e984ca8bfb5d3334eef0c21f26261b12d7644dd4d030bfd88
6985917d29596b66d9bbc745a13d5577110d9b0408719c5559d23dd59a9e4f0b
ae9f39d9e8308951adfa91e0f30ffe9e4280e3488e3a165da00c9f9e02cc9f28
9757387fe179cfff459275a5f0c88d75ec5426480c09184db2d3e286ffed7c78
ba373b768f74378ba4403613e42ad222993057c1fbedb239fcd9bfafcef5145f
Domains

No hashes found

HAVE A LOOK AT

Adwind screenshot
Adwind
adwind trojan
Adwind RAT, sometimes also called Unrecom, Sockrat, Frutas, jRat and JSocket is a Malware As A Service Remote Access Trojan that attackers can use to collect information from infected machines. It was one of the most popular RATs in the market in 2015.
Read More
Agent Tesla screenshot
Agent Tesla
agenttesla trojan rat stealer
Agent Tesla is spyware that collects information about the actions of its victims by recording keystrokes and user interactions. It is falsely marketed as a legitimate software on the dedicated website where this malware is sold.
Read More
Ave Maria screenshot
Ave Maria
avemaria stealer trojan rat
Ave Maria malware is a Remote Access Trojan that is also called WARZONE RAT. Hackers use it to control PCs of their victims remotely and steal information from infected PCs. For example, they can remotely activate the camera to take pictures of a victim and send them to a control server
Read More
Azorult screenshot
Azorult
azorult trojan rat
AZORult can steal banking information including passwords and credit card details as well as cryptocurrency. This constantly updated information stealer malware should not be taken lightly, as it continues to be an active threat.
Read More
Crimson RAT screenshot
Crimson RAT
crimson rat trojan
Crimson is a Remote Access Trojan — a malware that is used to take remote control of infected systems and steal data. This particular RAT is known to be used by a Pakistani founded cybergang that targets Indian military objects to steal sensitive information.
Read More
Danabot screenshot
Danabot
danabot trojan stealer
Danabot is an advanced banking Trojan malware that was designed to steal financial information from victims. Out of the Trojans in the wild this is one of the most advanced thanks to the modular design and a complex delivery method.
Read More