Since 2016, the Dharma family of ransomware has continued to net its operators ransom after ransom. Its continued effectiveness is due to several factors, from the number of attack vectors used to the ransom amount demanded. The ransomware family is well-known among the InfoSec community but appeared to gain international notoriety when a hospital in Texas suffered an attack that resulted in the encryption of important patient records. Dharma activity comes in waves, with hackers using newer versions of the malware each time. Hospitals are not the only organizations that have been targeted by hackers; breweries and businesses operating in the maritime industry also have been affected.
From February through to April of this year, researchers witnessed a sudden spike in Dharma—also called CrySIS—activity. This rate of increase by certain security firms peaked at 148%. This spike in activity was attributed to the multiple attack vectors employed by the operators to increase the ransomware’s infection rate. With an increased infection rate, hackers hope to achieve a greater probability of the victim paying the ransom.
For researchers, revealing the threat actors behind Dharma has been almost impossible. Changing attack vectors, continually updating the malware and switching tactics have served the cybercriminals well in continuing their operations. However, with every campaign, researchers have come to uncover a little bit more about the ransomware and, more importantly, how to defend against it. The first step to any proper defense against any cyberthreat is to know on which fronts the potential victim will be attacked. Currently, it appears there are three main methods of attack employed by those behind the ransomware:
- Distribution via malicious spam emails with compromised files or links.
- Distribution of the ransomware via what appears to be compromised legitimate downloads and file installation software, including anti-virus software packages.
- Targeted attacks exploiting weak or stolen RDP credentials. This is by far the most popular attack vector employed historically by those behind Dharma.
RDP Protocol Abuse
As mentioned above, exploiting weak or stolen RDP credentials is seen as Dharma’s modus operandi. RDP, or remote desktop protocol, was initially developed by Microsoft to connect one computer to another over a network connection. Over numerous versions, the legitimate tool can be used to access and control another computer over a network. The tool has evolved to the point that the person controlling the computer now sees exactly what the other person would. This tool has numerous legitimate uses; however, hackers were quick to see how the tool could be exploited to download and install malware if they managed to gain remote access.
Where ransomware was spread predominantly via malicious spam email campaigns, it was only a matter of time until the method lost its effectiveness. Malware authors, such as those who created Dharma, saw an opportunity to gain remote access to computers to install ransomware. For such an attack to be successful, the hacker needs to get their hands on the credentials that will grant them access to the protocol. This is done in several ways, including buying or using already leaked credentials, performing a credential stuffing attack or gaining the credentials using various social engineering tactics.
Once the correct credentials are used, the RDP can be abused in a number of ways. Privileges can be escalated to allow for the installation of ransomware or numerous other malware variants. Attackers can leave a backdoor open to the computer or network to be exploited at a later date. By compromising one computer, malware can be spread laterally if the network to which the computer is connected is not very secure.
It is easy to see why hackers—and in particular those behind Dharma infections—favor such an attack vector for distributing ransomware. However, it is not an attack method that cannot be defended against; there are several measures that can prevent the RDP from being exploited in such a similar way. The first thing to do is to lock down the protocol; this can be done by using strong passwords and enabling network-level authentication (NLA). NLA should be enabled by default. NLA requires that the connecting computer authenticate itself before a connection is made. In addition, businesses should limit who within the organization is authorized to use remote access.
Dharma isn’t the only malware utilizing this attack vector. Research done by one security firm showed that ransomware exploiting RDP amounted for 63.5% of ransomware detections in the first quarter of 2019. Such statistics further illustrate the need to lock down RDP use. It can be an incredibly beneficial tool for admins and IT departments, but one open for abuse by malicious parties.
Masquerading as Legitimate Installers
In May 2019, security researchers detected samples of Dharma distributed via spam emails. Like with other spam mails, the end user is prompted to click on a link—the first step to the Dharma infection in this instance. This method of infecting victims is not new, and is the tried and tested infection vector used countless times.
What separated these attacks from others is that upon clicking the link, a malicious file downloaded along with an installer for a well-known anti-virus vendor. The email with the malicious link that downloaded the files informed the receiver that their computers were infected or susceptible to attack. Upon clicking the link and the files were downloaded, the fake installer would open, serving the purpose of distracting the end user while Dharma ran in the background encrypting files. Even if the installer did not open, Dharma still would begin encrypting user files.
When ransomware emerged as a legitimate threat, it was employed in a spray-and-pray-style attack. The driving force was to send as many spam emails as possible to as many recipients in the hope that a small percentage would click a malicious link or download a compromised file. As awareness of the problem grew—along with the number of victims—the tactic increasingly became unsuccessful. As a result, a number of hackers began using cryptominers to turn a profit.
Ransomware was thought to be dead; however, ransomware operators had merely changed tactics. The Dharma ransomware family was one of those variants that quickly adopted a more targeted approach. Rather than aiming to infect as many personal computers as possible, hackers began focusing on targeting businesses and other organizations. Of particular interest were hospitals and government organizations. By targeting hospitals, law enforcement and government departments, hackers hoped they could better force payment out of victims. Hospitals in particular bore the brunt: Numbers show that in 2017, hospitals and other healthcare organizations saw an 89% year-on-year increase in ransomware attacks.
This approach seems to have worked for those patient enough to implement it correctly. Those behind Dharma appear patient and knowledgeable to make it work. Make no mistake: Such tactics appear to be working. The City of Florida paid hackers over $600,000 to hackers to decrypt files deemed essential to operations. When research further suggests that organizations and businesses can lose up 8,500 USD per hour of downtime, there is a motivation to pay the ransom.
In this respect, Dharma does not look to rewrite the rules when it comes to ransomware best practices. The ransom note posted to the victim’s desktop follows all the requirements others have used in the past. The ransom demanded is one Bitcoin. At the time of writing, a single Bitcoin was valued at $10,316 USD; however, those operating the ransomware have been known to adjust the ransom depending on the target. This flexible attitude to the ransom contributes to the ransomware’s continued success.
Screenshot of Dharma’s ransom demanding message:
When combined with the targeted approach above by extorting a ransom that hackers believe the company will pay, many organizations have met hackers’ demands and paid rather than going through the hassle and massive expense of trying to recover all the files that were encrypted. This is despite the numerous warnings from law enforcement and security firms not to pay. This approach places business owners and upper management in a difficult position, weighing the costs associated with downtime, bringing security consultants and potentially lost business or sensitive data against the decision to pay or not to pay.
The rest of the ransom note makes for standard reading. The note provides two email addresses so that contact can be made with the hackers. The note also states that the hackers will decrypt five files for free to prove that they can indeed decrypt the files once the ransom is paid. Further, the ransom warns against using third-party decryption software in case of permanent data loss and not to rename files—helpful advice from the people who illegally encrypted data.
In telling what variant of Dharma one is infected with, one needs to look at the file extension added onto the end of the file during encryption. The following are just some of the extensions used in older variants: .crysis, .dharma, wallet, .java, .adobe, .viper1, .write, .bip, .zzzzz, .viper2, .arrow, .gif, .xtbl, .onion, .bip, .cezar, .combo, .cesar, .cmb, .AUF, .arena, .brrr, .btc, .cobra, .gamma, .heets, .java, .monro, .USA, .bkp, .xwx, .btc, .best, .bgtx, .boost, .heets, .waifu, .qwe, .gamma, .ETH, .bet, ta, .air, .vanss, . 888, .FUNNY, .amber, .gdb, .frend, .like, .KARLS, .xxxxx, .aqva, .lock, .korea, .plomb, .tron, .NWA, .AUDIT, .com, .cccmn, .azero, .Bear, .bk666, .fire, .stun, .myjob, .ms13, .war, .carcn, .risk, .btix, .bkpx, .he, .ets, .santa, .gate, .bizer, .LOVE, .LDPR, .MERS, .bat, .qbix, .aa1 and .wal.
Screenshot of files encrypted by Dharma ransomware:
If infected with Dharma, there are only a few options available to decrypt the information and remove the malware without paying the ransom. For many of the older versions of Dharma free decryptors have been made available to the public. The newer versions of this ransomware are not decryptable.