New Variation of Dharma Ransomware Recognized

May 23, 2018


A new variation of Dharma ransomware has been discovered. The ransomware has the capability of encrypting files on a local appliance and files on unmapped network shares, mapped network drives, and shared virtual machine hosts.

Dharma was first noticed in November 2016 and shares many features with CrySiS ransomware. Although a decryptor was issued in 2017 that let companies retrieve files without paying the money, new Dharma ransomware variations are often issued which can’t be decrypted without payment of a ransom. There have been more than ten variations of Dharma ransomware emitted since the original variety was first noticed in 2016.

This year has seen two new Dharma variations emitted. In March, a variation of Dharma ransomware was noticed that utilized the .arrow extension. This month a new variation has been noticed that utilizes the .bip extension. Neither of these new Dharma variations can be decrypted without payment. Retrieval from a contamination is only possible by paying the ransom or retrieving encrypted files from standbys.

The latest variation of this ransomware was noticed by Security scientist Michael Gillespie, with other security scientists verifying this was certainly a new Dharma variation. What is not known is how this ransomware variation is being spread. It’s possible that electronic mail is being utilized, even though the threat actors behind past variations of the ransomware seem to prefer manual fitting of the ransomware after gaining access to appliances through brute force attacks on Distant Desktop Facilities.

As is now usual with new ransomware variations, contamination will see Windows Shadow Volume copies erased. Sufferers are alerted of the contamination on boot and a notification is also dropped on the desktop. The ransomware is designed to run once more when a user logs into Windows, making sure lately generated files that have been overlooked by the initial encryption are also encrypted.

Although a lot of ransomware variants specify the ransomware amount in the notification, the threat actors behind this attack require the sufferer to email them to find out how much they should pay for the decryption keys. This is an increasingly usual method because it lets the attackers fix the ransom demand based on the supposed ability of the sufferer to pay.

To safeguard against the threat, companies should make sure they have strong backup plans. Several backups must be generated and those backups must be checked to make certain file retrieval is possible. Anti-virus and anti-malware solutions must be used that have behavioral finding abilities to make sure an attack can be noticed in progress, even when the signature of the ransomware isn’t present in the database.

Network rights must be limited as far as possible and Distant Desktop facilities must be disabled unless strictly essential. If needed, strong passwords must be set to decrease vulnerability to brute force attacks and appliances with Distant Desktop Facilities enabled must not be permitted to link directly to the Internet.