Why New Dharma Ransomware is More Dangerous than ever

As New Dharma Ransomware Spreads, Decryption and Recovery Become More Difficult

This week a Texas hospital became the latest organization to become a public victim of Dharma Ransomware. The latest victim is not alone. Dharma has held a steady share of the global ransomware market this year, typically between 25-50%. In the past couple of months, the number of different Dharma variants has increased dramatically.

Dharma ransomware variants observed in 2018

(Source:  @malwrhunterteam @JakubKroustek @demonslay335)

What Is Dharma Ransomware and How Does It Work

Dharma has long been one of the most dangerous types of ransomware with no recent types broken. Dharma uses AES to encrypt files, while simultaneously deleting shadow copies. The encryption process starts with an individual machine mapped drives, followed by the root of the operating system drive. A new Dharma ransomware variant is typically denoted by a new unique file extension appended to the very end of an encrypted file.  

How Many Dharma Ransomware Strains Are out There

On average, one new Dharma variant was observed every month from January to August 2018. In September and October, the numbers increased dramatically. Four new variants appeared in September (.bkp, .monro, .brrr, .gamma) and nine more were observed in October (.xxxxx, .like, .gdb, .funny, .vanss, .betta, .waifu, .bgtx, .btc). This trend has continued into November (.adobe, .tron…etc).

The proliferation of new Dharma variants indicates a broader distribution of the ransomware to new groups of hackers/distributors. The broader distribution is also supported by case outcome data – data recovery rates skew dramatically by variant type.

Data Recovery Success Rates Vary Drastically by Dharma Type

In aggregate, the data recovery rate for Dharma remains very high, in excess of 96%. At the same time, the data recovery success rates range between 25% and 100% depending upon the variant. This range represents some of the most dramatic differences in data recovery rates outcomes within a given ransomware family that we have observed.

The difference in outcome between variants is likely due to the technical sophistication, aptitude and general demeanor of the ransomware distributors. This is further supported by the differences in communication patterns, and the decryption instructions provided as well.

Why Is Dharma So Destructive in the Hands of ‘Amateur’ Distributors?

Our case data indicates an increasingly wide range in the aptitude of the hacker’s that we communicate with during an incident. In some cases, we have had to provide guidance on how the decryption procedure works, essentially guiding the hacker to procure the proper tools & keys at the right stages of the process.

Dharma has a relatively complex decryption process, so any deviations may lead to decryption failure. As Dharma becomes more broadly distributed by less sophisticated hacker groups the recovery success rates depend more upon the organization of the hacker and less upon the reliability of the software.

In the hands of a distributor who does not understand its proper handling for encryption and decryption, compromised files and servers have no hope of being properly decrypted.  

Why Have Different Dharma Variants Propagated so Successfully

There are a few reasons why Dharma ransomware variants have proliferated recently. First, cheap ransomware bundles including Dharma have been observed, offering downward wholesale prices on ransomware once reserved for professional hacking groups.

Dharma may have dropped in wholesale value, and thus become available to less sophisticated distributors due to the growth and popularity of GandCrab. While only slightly easier to distribute, it is dramatically easier to collect because of the investment the GandCrab developers have made to the payment & decryptor TOR site.

There has also been a recent increase in attacks involving off the shelf file encryption software like BestCrypt or Jetico, that allow more sophisticated hackers to ransom a company without having tp purchase encryption malware, thus avoiding ransom sharing with developers.  

What Can You Do to Recover from a Ransomware Attack

Regardless of the true culprit, Dharma Ransomware is becoming even more dangerous as it gets into less sophisticated hands. Successful recovery from attacks is getting increasingly dependent on the data profile of the attack.

Service providers and targeted organizations should put a premium on positively identifying distributors capable of being a reliable counterparty vs the unsophisticated that are likely to complicate or degrade the probability of data recovery.

Coveware Ransomware Analytics provides a data-driven view of ransomware threats using real-time ransomware cases and cross-referenced client demographic. Contact us today to check how exposed your and your clients’ data is.

*** This is a Security Bloggers Network syndicated blog from Blog | Latest Ransomware News and Trends | Coveware authored by Bill Siegel. Read the original post at:

Avatar photo

Bill Siegel

Bill Siegel is the CEO and Co-founder of Coveware, a ransomware incident response firm. Before founding Coveware, Bill Siegel was the CFO of SecurityScorecard, a NY based cyber security ratings company. Prior to SecurityScorecard, Bill was the CEO of Secondmarket, and served as the Head of NASDAQ Private Market following Nasdaq’s acquisition of SecondMarket in 2015.

bill-siegel has 72 posts and counting.See all posts by bill-siegel