November 13, 2022
Dharma ransomware is pretty different from other ransomware families for a lot of parameters. Its injection ways and a money ransom note and encryption methods were the reason to distinguish it into a separate family from the first case.
|Note||Info.hta file with 4 sections: Instructions, Free Decryption as Guarantee, How to Obtain Bitcoins, Attention!|
|File pattern||.id-[alpha-numeric ID].[hacker email].[dharma variant file extension]|
|Ransom emails||[email protected], [email protected], [email protected], [email protected], and etc.|
|Algorithm||AES-256 (CBC mode) or DES + RSA|
|Features||The file decryption key, along with random bytes, is encrypted using the RSA-1024 algorithm and stored at the end of the encrypted file.|
|Distribution||Third-party downloaders, installers, peer-to-peer networks, RDP exploits, etc.,|
Distribution methods of Dharma ransomware
Almost 77% of all Dharma cases are related to the exploitation of RDP vulnerabilities. The remote desktop protocol became especially popular during the pandemic. It allows the employees to connect to their work PCs and use them as usual, with full access to computing power and disk files. But, as Dharma showed, it also allows the cybercriminals to take a huge jackpot. It is not very hard to set up the correct security measures to prevent the virus injection, but many employers ignore that security breach.
Much fewer ransomware injection cases are related to email spamming. Together with RDP vulnerabilities exploitation, this spreading way is used heavily for attacks on corporations. People used to trust email messages and files attached to them. It is effortless to understand why it happens - the malware spreading through emails is a new tactic used only for the last three years. Nonetheless, cybercriminals did not create a new thing - macros vulnerabilities, used for malware injection about ten years ago, are used in an unchanged form. The virus hides as a VBA add-on for a file (exactly, macros) and launches when a careless user allows the execution of the macros.
There are no documented cases of Dharma ransomware injection through the fileless attack. Furthermore, usage of software or hardware flaws for virus injection is minimal - the total share of ransomware attack cases through these ways is less than a statistical error (less 3%).
How does Dharma act?
Each ransomware targeted the companies rather than individuals has a pretty interesting way of performing its activity on the device. As mentioned, Dharma uses vulnerabilities in RDP, exploiting the mistake that the negligent system administrators often make. They often add a port forwarder, which transfers the queue on the Domain Controller via the same protocol. Getting into DC, cyber burglars gain access to each computer connected to this particular network.
After the connection, they inject malware into each computer in the network. The next step, as you may already guess, is file encryption. Simultaneously with the main operation, Dharma ransomware maintainers also launch a hack tool that gets the credentials of all computers connected to this network. Virus does not need your credentials at this moment. It is already inside of each PC in your network. Ransomware maintainers will sell these credentials in future, using Darknet. When some of this login information repeats other logins or passwords the PC user has, the situation turns critical, doesn't it?
Dharma ransomware uses AES-256-CBC encryption algorithm (Advanced Encryption Standard (AES) Cipher Algorithm in Cipher Block Chaining (CBC) Mode).
Advanced Encryption Standard(AES) is a symmetric encryption algorithm. AES is the industry standard as of now as it allows 128 bit, 192 bit and 256 bit encryption.Symmetric encryption is very fast as compared to asymmetric encryption and are used in systems such as database system. Following is an online tool to generate AES encrypted password and decrypt AES encrypted password. It provides two mode of encryption and decryption ECB and CBC mode.
The process of encryption is similar to one in other ransomware families. The virus copies the file, encrypts the copy, removes the original file, and substitutes it with an encrypted duplicate. The encrypted file obtains a new name - specific for each “member” of the Dharma family. For example, the following scheme creates these names:
id-[alpha-numeric ID].[hacker email].[dharma variant file extension]For example, one of the last Dharma ransomware examples added the following changes:
myfile.jpg → myfile.jpg.id-C3B22A85.[[email protected]].DHARMA
Of course, file encryption is not the only thing the virus makes into your system. It drops the file named "Info.hta" in %AppData/Roaming% and /Windows/System32 folders to show you what happened. This file is a link to the page where a scary ransom note is displayed. In some cases, Dharma leaves many "info.txt", "RETURN FILES.txt" or "FILES ENCRYPTED.txt" notes, which contain almost the exact text as .hta money ransom note.
To increase its presence in the system, ransomware launches a new instance of the winhost.exe process and adds it to the Run registry hive. This hive is responsible for the program startup - if you create the key, which refers to an executive file of the specific program, it will launch with the system start.
In addition, to avoid file recovery using essential recovery tools, all Dharma ransomware variants disables the Shadow Volume Copy (SVC) mechanism. Because of the specificity of SVC, after disabling this function, all volume copies are deleted. Hence, you will still not be able to use of Shadow Volume Copy after the attack. Fortunately, ransomware is not able to corrupt the backups created with third-party programs or other methods.
How to protect corporate network from Dharma ransomware?
Since Dharma usually penetrates your computer through the poorly protected networking elements, you need to concentrate your attention on these problems. Specifically for Dharma, this element is Remote Desktop Protocol. RDP was designed long ago, so it is well researched by both cybercriminals and cybersecurity experts for possible exploits. All of them are available on the Internet, so there is no problem checking each of them and preventing exploit usage.
Another step that you must perform is making your corporate network more sustainable for all sorts of cyberattacks. Force the employees to use antivirus software and explain to them the importance of using only licensed software. Blocking the possible malware injection sources is about 50% of success. Of course, you cannot prevent all possible attacks - no one canceled the zero-day hazards. But the less exploiting potential your system has - the more time you will have to detect and stop the cyber attack.