Black friday Up to 3 extra licenses FOR FREE + Special offer for TI LOOKUP Get it now
Webinar
February 26
Better SOC with Interactive Sandbox Practical Use Cases
Register now
68
Global rank
111 infographic chevron month
Month rank
109 infographic chevron week
Week rank
0
IOCs

Dharma is advanced ransomware that has been observed in the wild since 2016. It is considered to be the second most profitable RaaS operation by the FBI. The malware targets hospitals and state organizations, encrypts files, and demands a payment to restore access to lost information.

Ransomware
Type
Unknown
Origin
24 August, 2017
First seen
26 September, 2025
Last seen

How to analyze Dharma with ANY.RUN

Type
Unknown
Origin
24 August, 2017
First seen
26 September, 2025
Last seen

IOCs

IP addresses
185.20.187.20
87.97.126.177
98.4.227.199
70.173.46.139
96.227.122.123
24.122.228.88
50.104.186.71
67.0.74.119
189.236.218.181
75.132.35.60
72.179.242.236
189.160.217.221
188.27.6.170
173.187.170.190
173.173.77.164
203.106.195.139
197.160.20.211
73.210.114.187
173.187.103.35
98.116.62.242
Hashes
03b7296e5349fbafd6cc8586268c6e7365e2d6a768fc15cf3787654dde739a88
955544abc801355ee1e8e48488c6e9150d431fec63b7e74d19f22982b396e637
a728e9ca992a1c43171e892e2f12678750bdcb81f52dfca32acf671623d17828
8d674b98d64b596020a0561e700c06083636ee4ff8cbd59845c661781bcf9efb
23af9527da7eabdac8ebb7449ce6f23811bcf1ce5eae02ca10ac032eb423631d
bff6a1000a86f8edf3673d576786ec75b80bed0c458a8ca0bd52d12b74099071
8b5e7e324466f18744bc1f4064437bd3a61c10cbd333b38ff40ee98517034164
ae9f39d9e8308951adfa91e0f30ffe9e4280e3488e3a165da00c9f9e02cc9f28
99a03dc807a7830ce3aebbe0f1d1283571f3046e862469a197a50b86e82ecbe7
36285ddab15a69bc1d42f18084a1410f6139b10de623fe7e08ce2f269274469e
bdf964e04308b451e1dc8d8132c0ed40bcac6c9972a00a0729529e6aa79d9839
870a9f338ff52d8352c760c14a1e0a10093d1f73a0b4569f1a02136f4d3d5177
12a1a06012cc2dd30cb9645f896f28e6a218140c60fe7b6813c46ed7187c329f
30113f10d813b725534122c9a07032439f064df285b53dd321a1b91ce28c197b
1062283c74db618308e61b7df8ba7b1d77e972d895dd40568acd0b9db309e237
867f85686d6908dbe8636a4368ed07135d3ff247a0c20a68a3cff8d2ef28cdfa
3a7696a5e89211d08152154477f7d2281cafd814e987f6d089a3ad1c76f24608
ed964d6b1f48ac111c9319bb97cd9204e85cedba276bd675818bd2333f323135
dd2604cb7e288317d2861422fef16b72b916e240028f102eaa9dd49f90f438fb
a683494fc0d017fd3b4638f8b84caaaac145cc28bc211bd7361723368b4bb21e
Domains
ketotoken.com
dreamneeds.info
gteesrd.com
bayfrontbabyplace.com
gayjeans.com
aa8520.com
fisioservice.com
hamptondc.com
crazzysex.com
golphysi.com
dsooneclinicianexpert.com
buynewcartab.live
eatatnobu.com
281clara.com
europartnersplus.com
jicuiquan.net
hannan-football.com
hanferd.com
cdpogo.net
bestmedicationstore.com
Last Seen at

Recent blog posts

post image
ANY.RUN Sandbox & Microsoft Sentinel: Les...
watchers 569
comments 0
post image
Fighting Telecom Cyberattacks: Investigating...
watchers 2483
comments 0
post image
Efficient SOC: How to Detect and Solve Incide...
watchers 1030
comments 0

What is Dharma ransomware?

Dharma is a ransomware-type malware. A malicious program that encrypted files and demands a ransom to restore information. Dharma, a member of the CrySIS family, has been around since August 2017, targeting organizations such as hospitals. It managed to earn attackers over $25 million in ransom payments.

General description of Dharma ransomware

Dharma is considered to be advanced ransomware that uses powerful encryption. As a new variant of the CrySIS family, it was first spotted in the wild in 2017. It was operated by an unknown cyber gang who managed to remain mostly in the shadows to this day. CrySIS was offered as a RaaS (Ransomware-as-a-Service), meaning that “clients” could use it, if they purchased the ransomware from the attackers. This means that those who purchase the malware carry out the actual attacks rather than original creators.

Threat actors changed the name over to Dharma after decryption keys for CrySIS were leaked in late 2016. That was the first, but not the only time somebody published the decryption keys, but it was the only time attackers renamed the malware and re-branded the product.

Some researchers believe that Dharma is one of the most popular RaaS malware out there right now. The popularity of this ransomware is partly due to the constant updates that attackers have been rolling out throughout the years it was active.

In fact, there were instances where three new versions of the malware were reported during the same week. In addition, Dharma proved to be very adaptive, changing distribution channels as the underground community moved from mass spam emails to more targeted attacks in 2018 and 2019.

Another part that contributed to the popularity of Dharma is its flexibility. Although the ransom amount is usually set to one Bitcoin, it can be customized depending on the victim profile. This means that for smaller organizations that can’t pay this much (mind you, Bitcoin cost almost 20,000 USD in 2017), the payment amount can be lowered.

Although not unique to this malware, this flexibility and customization greatly enhanced its effectiveness. In fact, the FBI named Dharma the second most profitable ransomware operation.

Now, despite all of the above, Dharma has never really been available to the general public. The only places it could be found were inconspicuous underground forums. At least, until recently.

In late 2019, the source code of Dharma was observed being put for sale for 2,000 USD.

This made many researchers worried, as some predicted that putting the source code for sale will result in somebody uploading it to the public internet. If ransomware as advanced as Dharma gets in the hands of a mass audience, we can be up for a lot of trouble.

It should also be noted that in 2019 researchers reported new ransomware called Phobos, which has almost the same code as Dharma. Although some speculated that this could be another rebranding, Dharma samples are still constantly being found about as often as instances of Phobos malware use.

Dharma malware analysis

A video recorded in the ANY.RUN interactive malware hunting service shows how the execution of this ransomware unfolds from the victim’s point of view.

raccoon_process_graph

Figure 1: Displays the execution process of the Dharma ransomware This graph was generated by ANY.RUN.

raccoon_process_graph

Figure 2: Displays the Dharma ransomware ransom note

Dharma ransomware execution process

The execution process of the Dharma ransomware is relatively typical for this type of malware such as WannaCry. After the executable file makes its way into an infected system and runs, the main malicious activity begins. After the start of execution, the ransomware deletes shadow copies. After it encrypts all targeted files, Dharma drops a ransom note on the desktop.

Dharma ransomware distribution

Dharma has been observed using multiple distribution methods, but the following three are the most common.

  • Targeted emails with malicious attachments or links.
  • Use of compromised legitimate software, often antiviruses.
  • Targeted campaigns that abuse the RDP protocol.

Out of the three distribution channels, spam email campaigns are the most straightforward. It is also how threat actors relied on the most during the first years of malware operation, launching widespread campaigns and relying on sheer numbers of potential recipients.

However, as users and organizations become more educated about the dangers of cyberattacks, spam emails lose effectiveness. Dharma operators quickly adapted and restored to the other two methods for payload delivery.

Another method that Dharma is known to use is utilizing real compromised software. For example, some attacks involved targeted email campaigns that contained a download link. What made these attacks stand out is that upon clicking the link, the payload would be downloaded along with a compromised legitimate program. The program then would launch an installer designed to direct the victim's attention while the executable file is running in the background.

Finally, the last common distribution method is through the use of compromised RDP. RDP is a protocol developed by Microsoft used to establish a connection between multiple PCs over a network. It’s a completely legitimate protocol that technicians use to carry out remote technical support, among other uses. However, if a session becomes compromised, it gives hackers the ability to download and execute the malicious file as long as they have access to the remotely connected PC.

Conclusion

Dharma is dangerous ransomware. Since 2017 its popularity has been only growing, and continued use indicates that members of the underground hacking community see it as a reliable option. Given that even the FBI considers Dharma to be one of the most effective malware in its class, it’s no wonder that this malware is in demand.

However, even more, worrying is that despite all the attention that Dharma has been getting over the years, creators of this ransomware managed to evade researchers and evolve the ransomware along the way continually.

Although decryptors do exist for some versions of Dharma, the only reason they could be created is that somebody from the inside leaked master keys. Apart from these instances, little progress has been made to crack the encryption algorithm used by Dharma.

And now, with the source code appearing for sale, we run the risk of it popping up on the global Internet, which can spawn a new, massive wave of Dharma attacks.

Keeping this in mind, researchers should take time to study Dharma behavior to prepare for potential attacks carefully. Thankfully, ANY.RUN provides all the necessary tools to carry out Dharma analysis in a secure online environment.

HAVE A LOOK AT

MetaStealer screenshot
MetaStealer
metastealer
MetaStealer is an info-stealing malware primarily targeting sensitive data like login credentials, payment details, and browser history. It typically infects systems via phishing emails or malicious downloads and can exfiltrate data to a command and control (C2) server. MetaStealer is known for its stealthy techniques, including evasion and persistence mechanisms, which make it difficult to detect. This malware has been actively used in various cyberattacks, particularly for financial theft and credential harvesting from individuals and organizations.
Read More
Maze screenshot
Maze
maze ransomware
Maze is ransomware — a malware type that encrypts the victim’s files and restores the data in exchange for a ransom payment. One of the most distinguishable features of Maze is that it is one of the first malware of the kind to publicly release stolen data.
Read More
Zloader screenshot
Zloader
zloader trojan loader
Zloader is a banking trojan that uses webinjects and VNC clients to still banking credentials. This Trojan is based on leaked code from 2011, but despite its age, Zloader’s popularity has been only increasing through early 2020, when it relied on COVID-19 themed attacks.
Read More
DeerStealer screenshot
DeerStealer
deerstealer
DeerStealer is an information-stealing malware discovered in 2024 by ANY.RUN, primarily targeting sensitive data such as login credentials, browser history, and cryptocurrency wallet details. It is often distributed through phishing campaigns and fake Google ads that mimic legitimate platforms like Google Authenticator. Once installed, it exfiltrates the stolen data to a remote command and control (C2) server. DeerStealer’s ability to disguise itself as legitimate downloads makes it particularly dangerous for unsuspecting users.
Read More
DarkTortilla screenshot
DarkTortilla
darktortilla
DarkTortilla is a crypter used by attackers to spread harmful software. It can modify system files to stay hidden and active. DarkTortilla is a multi-stage crypter that relies on several components to operate. It is often distributed through phishing sites that look like real services.
Read More
Remote Access Trojan screenshot
Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links.
Read More