zephyr_p - stock.adobe.com

How Dharma ransomware became an effective services business

New research looks under the bonnet of a Dharma ransomware attack, with the ransomware's ease of use being particularly dangerous for small to medium-sized enterprises

While much of attention on ransomware has naturally focused on enterprise-killing strains such as Maze, ReVIL/Sodinokibi and WastedLocker, other ransomwares such as Dharma continue to thrive and has become the centre of an underground cyber crime services business, according to research which reveals how Dharma has established itself as an effective and profitable ransomware as a service (RaaS).

In a report titled Color by numbers: Inside a Dharma RaaS attack, Sophos senior threat researcher researcher Sean Gallagher shared new, in-depth insight into Dharma’s automated attack script and toolset, which is being offered to cyber criminal buyers to target small and medium-sized enterprises (SMEs).

“With so many multimillion-dollar ransom demands, high-profile targets and advanced adversaries like WastedLocker now making the headlines, it can be easy to forget that threats like Dharma are alive and well, and enabling a whole other rung of cyber criminals to hit multiple smaller targets to rake in a fortune, eight thousand dollars at a time,” said Gallagher.

Since its emergence in 2016, Dharma has established itself as one of the most profitable ransomwares thanks to its mass-market, service-based business model. Gallagher described it as a “fast-food franchise”, saying it is widely and easily available to just about anybody who wants it.

“Dharma’s ransomware-as-a-service offerings expand the range of people who can execute devastating ransomware attacks. That’s worrying enough in itself in normal times. But right now, with many businesses adapting to the pandemic and accommodating a need for rapid support for remote workers, and IT staffs stretched thin, the risks from these attacks is magnified,” he said.

“The need to equip and enable an unexpectedly remote workforce has left small companies with vulnerable infrastructure and devices and hindered the ability of IT support staff to adequately monitor and manage systems the way they normally would.”

Ease of use is at the core of the Dharma RaaS business model and this makes it particularly dangerous to SMEs. Its backers offer their customers a package of pre-built scripts and tools and take relatively little technical skill to operate, leveraging internal Windows tools, legitimate third-party freeware, well-known security tools and publicly available exploits, integrated through bespoke PowerShell, batch and AutoIT scripts.

This extends the reach of Dharma’s operators, letting them profit while their customers – who pay around $2,000 for Dharma on underground forums – do the donkey work of breaching networks, dropping the ransomware, and running ‘customer service’ for the victims.

For the victim, decryption is a fairly complex task that works in two stages. If you contact the Dharma affiliate for recovery keys, you will be given a first-stage tool that extracts details of all your encrypted files. The affiliate will then share this extracted data with Dharma’s operators, who then provide the second-stage decryption key for the files. Of course, just how effective this process is in restoring data is up for debate and a lot will be riding on the skills, and even the mood, of the affiliate.

This means that it is best to stop an attack before it happens, or to ensure you are protected well enough to be able to ignore it and start over.

Gallagher said that most Dharma affiliate attacks can be effectively blunted by ensuring remote desktop protocol (RDP) servers – exploitation of vulnerable RDP servers is behind about 85% of Dharma attacks – and secured behind a virtual private network (VPN) with multi-factor authentication.

SMEs should also be on the alert for credential theft via phishing attacks – especially as remote working continues to be the norm, and to pay attention to their own IT service providers and other third parties which may have access to their systems.

Read more about ransomware

  • Since emerging at the tail-end of 2019, double extortion, or exfiltration and encryption, ransomware attacks have become highly popular, and now account for a significant number of incidents.
  • A series of Sophos reports on the ransomware threat landscape shows how security professionals can sniff out a potential ransomware attack before it happens.
  • Ransomware is still common, especially in the coronavirus age, so you need to be ready. Explore ransomware recovery tips from an IT manager who dealt firsthand with an attack.

Read more on Hackers and cybercrime prevention

Data Center
Data Management