Threat Research

Ransomware Roundup – Playing Whack-a-Mole with New CrySIS/Dharma Variants

By James Slaughter | January 19, 2023

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report provides readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This latest edition of the Ransomware Roundup covers variants of the CrySIS/Dharma ransomware family.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts files on the compromised machine and demands ransom for file decryption
Severity level: High

CrySIS/Dharma Ransomware Overview

The CrySIS/Dharma ransomware family has been around for several years – dating to at least 2016. It nominally operates using a Ransomware-as-a-Service (RaaS) model. However, it should also be noted that at least one version of the ransomware had its source code leaked, allowing anyone to purchase and repurpose it for their own ends.

Due to this proliferation of versions, it’s become a game of “whack-a-mole” when new ones pop up with different operators.

CrySIS/Dharma Ransomware Infection Vector

Several methods have been used by CrySIS/Dharma operators to gain access to an environment—most famously, exposed Microsoft Remote Desktop Protocol (RDP) servers. It has also been delivered via phishing with attachments disguised as installation files for legitimate software, including AV vendors.

CrySIS/Dharma Ransomware Execution

When launched, the ransomware sets the console to codepage 1251, which covers the ability to use Cyrillic languages such as Russian, Ukrainian, and Bulgarian.

Figure 1. Console codepage set to 1251.

It also deletes shadow copies of the system to hamper any attempts at recovery.

Figure 2. Deletion of the host’s volume shadow copies using VSSadmin.

An additional copy of the ransomware is copied to the host’s “~\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup” folder to ensure it runs in the event the system is restarted before encryption has occurred.

Figure 3. A new copy of the ransomware copied into the Startup folder.

 

All files of interest, such as personal and operational documents (it does not touch system files), are then subjected to encryption.

Figure 4. A selection of files of interest for CrySIS/Dharma.

Encrypted files have an extension generally referring to the threat actor controlling the ransomware. These tend to vary widely, as seen in the following images.

Figure 5. Files encrypted by CrySIS/Dharma variation 1.
Figure 6. Files encrypted by CrySIS/Dharma variation 2.
Figure 7. Files encrypted by CrySIS/Dharma variation 3.

In an unusual step, once encryption is complete, the malware launches the Microsoft HTML Application (MSHTA) to process and display a file called “Info.hta”. Copies of this file are stored in four separate locations on the host:

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
  • C:\Users\<victim account>\AppData\Roaming
  • C:\Users\<victim account >\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
  • C:\Windows\System32

“Info.hta” is essentially an HTML file containing the ransom's details.

Figure 8. Contents of “Info.hta”.

While there are variations in the ransom notes, all contain a method to contact the attacker to discuss the details of the ransom. A unique ID, which appears to be based on the characteristics of the victim system, is also displayed.

Figure 9. CrySIS/Dharma ransom note variation 1.
Figure 10. CrySIS/Dharma ransom note variation 2.
Figure 11. CrySIS/Dharma ransom note variation 3.

In addition to its “Info.hta” file, a separate file called “info.txt” is also dropped. It contains a truncated set of instructions to contact the attacker. A copy is dropped at the following locations:

  • C:\
  • C:\Users\Public\Desktop
  • C:\Users\<victim account >\Desktop
Figure 12. Contents of the “info.txt” file.

Fortinet Protections

Fortinet customers are already protected from this malware variant through FortiGuard’s Web Filtering, AntiVirus, and FortiEDR services, as follows:

FortiGuard Labs detects known CrySIS/Dharma ransomware variants with the following AV signatures:

IOCs

File-based IOCs:

SHA256

419bc8196013d7d8c72b060da1a02d202d7e3eb441101f7bcb6d7667871a5c16

5c2fb1c42f007093be5e463f70ee7e7192990b3385a3cbcc71043980efa312e0

6a0017262def9565b504d04318c59f55bea136ac3dd48862d1ae90ff6b963811

b557bf11d82d3d64d028a87584657d25dba0480295ed08447f10c7a579dee048

b3984a2de76eee3ad20c4b13e0c0cbbab2dd6db65e3f6ca34418e79c21cf5c39

e9253218e30b30c8bb690b2ab02eef47b8b5c8991629d814b2af6664151e9a2f

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact to an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE NSE trainingNSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry's leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

Best Practices include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard AI-powered security services portfolio.