FortiGuard Labs Threat Research
Dharma Ransomware Analysis: What It’s Teaching Us
FortiGuard Labs Threat Research Report
In 2018, a popular brewery was slammed by a ransomware attack, while at about the same time a major maritime port experienced an identical issue that affected ship movements into and out of the harbor. Both cases were the result of the Dharma ransomware exploit.
In fact, a lot of new Dharma waves appeared in a short period of time, with some new extensions appearing, such as .bip, .combo, and now .gamma.
What is Dharma Ransomware?
Dharma ransomware encrypts files in order to demand a ransom in exchange for a decryption key. It is often delivered manually by targeting leaked or vulnerable RDP credentials.
FortiGuard Labs has been monitoring the Dharma (also named CrySiS) ransomware family for a few years. As we demonstrate below, even though the Dharma ransomware continues to be active, the attackers are not really updating their mode of operation, but continue to rely on a proven tactic to find and infect new victims, which is to leverage badly secured or vulnerable RDP services to gain access to the network.
Credentials can be found by either purchasing access online on the dark web, or by bruteforcing.
Once authenticated, however, a Dharma attacker can map a hard drive remote share or just use the clipboard to pass malicious content to the victim. From that point on, the attacker has everything needed to pivot within the network to propagate the infection to other servers or devices.
New Dharma Ransomware Variant Discovered
Recently, the FortiGuard Labs team found a new variant of the Dharma ransomware. Dharma encrypted files have new extensions, such as .xxxxx and .like. After in-depth investigation and analysis, however, we found that when compared to previous versions (such as .java, .bip, .combo, .arrow, .arena and .gamma), this new malware variant (.xxxxx and .like) does not include a substantial upgrade to the code, but simply uses a different loader program.
Dharma Ransomware Decryption Tools
The first variant of the Dharma ransomware appeared as early as 2006, and has continued to this day with regular updates. Because of the continuous evolution of this ransomware, free decryptors for previous malware versions were released by Kaspersky and Eset. Unfortunately, files encrypted with the new variants of Dharma ransomware are not currently decryptable for free as was the case for the older variants.
If you are looking for previous released decryptors, you can find them on the NoMoreRansom website (https://www.nomoreransom.org/en/decryption-tools.html), which is a joint initiative from law enforcement agencies and security companies to combat ransomware.
How does Dharma Ransomware Work?
When the new Dharma ransomware variant is installed on a victim’s computer, it executes and decrypts data as necessary from the .data resource section. Initially, the entire .data section is encrypted using the RC4 algorithm and a 128byte key stored at the beginning of the data block. The malware then uses the key to decrypt the strings, step by step. Firstly, API names and addresses are decrypted and stored into the stack, which are then loaded. In addition, the malware decrypts commands used to delete shadow copies, file extension lists, attacker email addresses, the encrypted file extension, the ransom note, and other various strings that are also encrypted.
Fig 1. Strings decryption
Then, the Dharma ransomware configures itself to automatically start up when the user logs in to Windows. This allows it to encrypt new files that are created since it was last executed.
Fig 2. Auto run setting
The malware then invokes cmd.exe to delete Volume Shadow Copies, using the command:
vssadmin delete shadows /all /quiet.
Fig 3. command vssadmin delete shadows /all /quiet
The sample starts with mapped drives before moving onto the root of the OS drive and encrypting files via implementation of the AES algorithm. When encrypting a file, it will append an extension in the format of .id-[id].[email].xxx. For example, a file called test.txt would be encrypted and renamed to test.txt.id-AC197B68.[recoverdata@protonmail.com].combo.
Fig 4. Files encrypted with the Dharma Ransomware combo variant
After encrypting the files, the Dharma ransomware pops up two different ransom notes on the victim’s computer. One is the Info.hta file, which is launched by an autorun when a user logs into the computer.
Fig 5. Ransom note HTA
The other note is called FILES ENCRYPTED.txt and can be found on the desktop.
Fig 6. Ransom note text
FortiGuard Labs has been monitoring this malware carefully since the beta version of this family was first discovered. From a ransomware perspective, Dharma continues to be active and at the top of our threat list. Our telemetry also shows that for the past 6 months more than 25% of detection is originating from Turkey.
The cyberwar is not at rest. Turkish sources have reported that Dharma has attacked more than 100 Greek websites. Details of these attacks seem to confirm news reports about the political tensions between Turkey and Greece regarding islands ownership in the Aegean sea, showing that ransomware attacks can be used for activism as well as for financial gain.
Solution
1. FortiGuard’s advanced Antivirus service detects these samples as W32/Crysis.L!tr.ransom
2. FortiSandbox rates the Dharma/Crysis sample as High Risk
In addition to the previous protections outlined, Fortinet is advising customers to follow the security best practices below:
1. Backup Your Data
The best protection against ransomware such as Dharma is to be prepared. To protect your computer from Dharma or any other ransomware, it is important to use good computing practices and security software. First, you should always have a reliable and tested data backup that can be used to recover devices or networks in an emergency (such as a ransomware attack). Rather than paying a ransom, the most effective method is to replace compromised operating systems, software, and applications with clean backed-up versions.
2. Access Management
Since Dharma Ransomware is usually installed by hacking Remote Desktop Services, it is important to ensure that those services are properly locked. This includes ensuring that computers running Remote Desktop Services do not connect directly to the Internet. Instead, put any computers running Remote Desktop behind the VPN so that only people with a VPN account on the network can access them.
It should be noted that this ransomware targets and will encrypt mapped network drives, shared virtual machine host drives, and unmapped network shares. So it is important to make sure your network's shares are locked down so that only those who actually need access have permission.
FortiGuard Labs will continue to track this family and share our findings with readers as new details come to light.
Target file extension list
.1cd .3ds .3fr .3g2 .3gp .7z .accda .accdb .accdc .accde .accdt .accdw .adb .adp .ai .ai3 .ai4 .ai5 .ai6 .ai7 .ai8 .anim .arw .as .asa .asc .ascx .asm .asmx .asp .aspx .asr .asx .avi .avs .backup .bak .bay .bd .bin .bmp .bz2 .c .cdr .cer .cf .cfc .cfm .cfml .cfu .chm .cin .class .clx .config .cpp .cr2 .crt .crw .cs .css .csv .cub .dae .dat .db .dbf .dbx .dc3 .dcm .dcr .der .dib .dic .dif .divx .djvu .dng .doc .docm .docx .dot .dotm .dotx .dpx .dqy .dsn .dt .dtd .dwg .dwt .dx .dxf .edml .efd .elf .emf .emz .epf .eps .epsf .epsp .erf .exr .f4v .fido .flm .flv .frm .fxg .geo .gif .grs .gz .h .hdr .hpp .hta .htc .htm .html .icb .ics .iff .inc .indd .ini .iqy .j2c .j2k .java .jp2 .jpc .jpe .jpeg .jpf .jpg .jpx .js .jsf .json .jsp .kdc .kmz .kwm .lasso .lbi .lgf .lgp .log .m1v .m4a .m4v .max .md .mda .mdb .mde .mdf .mdw .mef .mft .mfw .mht .mhtml .mka .mkidx .mkv .mos .mov .mp3 .mp4 .mpeg .mpg .mpv .mrw .msg .mxl .myd .myi .nef .nrw .obj .odb .odc .odm .odp .ods .oft .one .onepkg .onetoc2 .opt .oqy .orf .p12 .p7b .p7c .pam .pbm .pct .pcx .pdd .pdf .pdp .pef .pem .pff .pfm .pfx .pgm .php .php3 .php4 .php5 .phtml .pict .pl .pls .pm .png .pnm .pot .potm .potx .ppa .ppam .ppm .pps .ppsm .ppt .pptm .pptx .prn .ps .psb .psd .pst .ptx .pub .pwm .pxr .py .qt .r3d .raf .rar .raw .rdf .rgbe .rle .rqy .rss .rtf .rw2 .rwl .safe .sct .sdpx .shtm .shtml .slk .sln .sql .sr2 .srf .srw .ssi .st .stm .svg .svgz .swf .tab .tar .tbb .tbi .tbk .tdi .tga .thmx .tif .tiff .tld .torrent .tpl .txt .u3d .udl .uxdc .vb .vbs .vcs .vda .vdr .vdw .vdx .vrp .vsd .vss .vst .vsw .vsx .vtm .vtml .vtx .wb2 .wav .wbm .wbmp .wim .wmf .wml .wmv .wpd .wps .x3f .xl .xla .xlam .xlk .xlm .xls .xlsb .xlsm .xlsx .xlt .xltm .xltx .xlw .xml .xps .xsd .xsf .xsl .xslt .xsn .xtp .xtp2 .xyze .xz .zip
IOC
W32/Crysis.L!tr.ransom
bf20b92755cd5c2542cdcef804ee795932cc4b0e070ca6b81ff8fd30908a8f97
a43dab9c34af5a49a2a615e86db3e2bf4c5467853dd5bd4f1a1c73619b683ab2
ed1b5acfc578c3bcb0f9ca222e4704020139077f43fadfc444705cb00dc66317
55f6805604934e1f8cd9759b831be4f06abbb61db80a36b92db83aaf4b0ddaa0
42cb8238c00c151e56b8e3c2db3c0a8f8631f2936d613311d347f1dcfb24fa3f
bae69bb3736f8103f6e5ca1be3bebd11b7e5200de79b88d7c03b9b65ab04e16a
7010d8f772b31f0ee5332bcfc280cf443f8ba4bfbbdec773cd38ea72f8efe152
8656da57a71d2245f8f6a7ce4299aa614fd93c0be5fee78aadbf30f3cb3becb7
-= FortiGuard Lion Team =-
For more resources, sign up for our weekly FortiGuard Threat Brief. We research emerging threats in cybersecurity so you can stay up to date with the latest.
Know your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can help you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and Performance.
