What is Dharma Ransomware?
The Dharma ransomware is a sophisticated malware with many guises over the last several years. Many different variants of Dharma have been released, and the encryption uses multiple different extension names, including .combo .boost .wallet .brrr .gamma and .monro, to name just a few.
Under the hood, the different Dharma strains all contain similar source code, and the attack vectors are identical. The sheer number of different file extensions suggests that each extension differentiates the threat actors responsible for delivering the ransomware payload.
Some reports suggest that Dharma has spawned up to 34 variants during its lifetime. For example, one newer strain, .combo, was first spotted in July 2018. It is a fork of the CrySIS malware which has been in circulation since 2016. But, awareness of this Dharma strain spiked in February – April 2019, with a 148% increase in reported infections, and we still see .combo infections today.
Dharma appears to target global enterprise businesses specifically. Dharma only targets Windows server infrastructure, which has an extensive footprint within the enterprise business sector. Early reported targets included healthcare institutions, local governments, and maritime businesses throughout the United States.
One high profile attack was a breach of Altus Hospital systems in Baytown, Texas. An extensive number of electronically stored health records were maliciously encrypted and held to ransom. The threat actor’s sole intention was financial extortion. It is essential to note of this incident that no ransom payment occurred and no evidence of data theft was uncovered during the investigation of the event.
Dharma ransomware follows the same attack vectors used by malware such as Phobos, GandCrab, Kraken and LockCrypt ransomware. It exploits weak or compromised RDP credentials on Internet-facing remote Windows computers. Once inside, the attackers can breach computer networks to spread the Dharma payload.
How Does the Dharma .combo Ransomware Work?
Exploiting the Windows RDP protocol (port 3389) is the most common delivery method used for the Dharma payload. There are many ways that the attackers can compromise RDP access, and cracked credentials are traded on the dark web by hacking communities.
Botnet farms scan the public internet 24/7, and once an exploitable port is identified, malicious software is used to brute force attack any server with an open RDP session. If a weak password protects the RDP connection, it can take a matter of seconds to crack.
Another common method to deliver the Dharma payload is via a phishing campaign; in this method, the hackers send an email with the malware attached within a compromised Microsoft Word attachment or similar. Dharma has also been spread via file sharing sites and fake ESET Antivirus applications.
Upon successful infection, the Dharma payload will shut down numerous core system services to protect the payload as it proceeds to encrypt (using AES256 combined with RSA-1024 asymmetric encryption) all non-system files and any attached disks (SMB/NAS/USB)
During the infection process, Dharma deletes all Windows restore points, preventing rollback (vssadmin), uninstalls any antivirus software found running on the system and generates a file list of all user files designated for encryption. This file listing is transmitted to a control server owned by the threat actors.
Once the encryption process completes, a ransomware note called info.hta or FILES ENCRYPTED.txt is copied onto the user’s desktop and in the folders of the encrypted files. The note demands that the user email a contact to make payment via bitcoin. The ransom is usually about one bitcoin, but there is evidence to suggest the ransom increases depending on the size of the organizations infected.
How Do I Prevent Dharma Ransomware?
There are many preventative actions that you can take to secure your systems against the Dharma ransomware. It is essential to maintain system security best practices, including ensuring that all servers are patched to the latest security levels. Installing the latest patches ensures that your version of Windows is secure against the very latest known vulnerabilities.
Educating employees on matters of cybersecurity is an essential consideration. Users need to double-check the final destination URLs of any links when web browsing to reduce the possibility of a successful phishing attempt. Additionally, make sure your employees know how to check a website’s security certificate to determine whether the site is a trusted source and teach them never to open attachments from unknown sources.
One effective strategy to mitigate the threat of ransomware is to use regular and properly segregated backups of business-critical systems. Often the only way to roll back from a ransomware outbreak is to restore systems from a backup. The ability to restore an entire computer infrastructure from a backup or to leverage a disaster recovery solution can significantly reduce the risk associated with ransomware.
Other standard measures that can protect your organization from a ransomware infection include:
- System Inventory – One of the first steps to take, especially if you are a business, is to complete an inventory of all your business assets. The list should include all digital assets such as servers, desktops, laptops, network equipment, and digital infrastructure. Cataloging the assets you own will allow you to create a baseline to work from if any systems are infected.
- Risk Analysis – Conduct a cybersecurity risk analysis using the baseline created during the system inventory. This process will allow you to identify security weaknesses and create a priority list of what to fix first.
- Disaster Recovery – Create and test a disaster recovery plan, including a scenario where a total outage occurs due to ransomware. Disaster recovery might consist of a high availability DR setup in a secondary site or with a cloud provider.
- Penetration Testing – This is a technique of testing external and internal computer infrastructure against all known vulnerabilities. Pen testing and vulnerability scanning will generate a list of recommended fixes needed to harden the infrastructure.
All these precautions will significantly reduce the risk of your infrastructure from being hit by Dharma or any other form of ransomware.
How Do I Remove Dharma Ransomware?
Early versions of Dharma have been decrypted by security specialist software. Kaspersky and ESET have released decryptors, which may resolve Dharma infection. The Kaspersky Rakhni decryptor and ESET Crysis Decryptor and are undoubtedly worth a try, even on newer strains.
The next option is to restore from backup. If you are in the difficult position of not having a backup, and you urgently need your files, we recommend you contact the incident response experts at Tetra Defense.
Tetra Defense prioritizes restoration to get businesses back to where they were before the ransomware attack. We approach ransomware restoration and investigations simultaneously, so you return to normal at the same time you are getting answers.
Our teams are standing by to focus on what matters most: your business! We will survey the ransomware outbreak and perform an initial assessment; this will identify the course of action to fix the ransomware. We can, when necessary, conduct ransom negotiation and, if needed, can offer facilitation of ransom payment.
We remove the ransomware threat from your system and conduct malware scans and network threat hunting. Each incident is leveraged to learn from the ransomware attack and discover the root cause. Once decryption keys are obtained, we assist with the decryption of data and get systems restored to full functionality as quickly as possible.
Get Help with Dharma Ransomware
If you’re ready to get help removing Dharma ransomware from your critical systems, contact Tetra Defense’s incident response team today. We will reach out for an assessment and build a plan to get your systems up and running once again.
Example of Dharma Ransom Note