Gruppo TIM
Gruppo TIM

The Dharma ransomware

Dharma is a dangerous ransomware, identified as early as 2016, whose uniqueness lies entirely in its peculiar attack technique: the Dharma ransomware, in fact, is able to install itself on the victim’s computer together with legitimate software used as a camouflage shield.

 

What Is Dharma Ransomware?

Dharma ransomware, also known as CrySiS, is a “trojanized” high-risk ransomware-type virus targeting Windows OP used by threat actors to extort home computer users, but also small and medium-sized organizations.

This type of ransomware targets mostly directories inside the user’s directory on Windows. 

Every time a file is included in the directory, the ransomware encrypts the file and adds a suffix [bitcoin143@india.com].dharma.

Dharma ransomware’s uniqueness comes from the fact that it doesn’t attack the whole computer, but it conceals inside the system and continues to encrypt files every time they are added to the directory. 

So, in order to decrypt the files, it needs to be removed.

Dharma ransomware is scattered worldwide via e-mail campaigns that claim to be authentic and the user is requested to download a password-protected attachment named Defender.exe. 

The whole operation is so successful that many people over the years have ended downloading it.

 

Dharma’s new infection technique

Today, Dharma uses a spam e-mail to persuade the potential victim to update their antivirus.

To start the download of the fake update, the e-mail message also indicates a link accessible only after entering the password indicated in the e-mail itself.

In reality, by doing so, the victim simply downloads a self-extracting file named Defender.exe onto their computer.

When you run it, the download of two more files is automatically started.

The first, whose name is taskhost[.]exe, is the actual payload of the Dharma ransomware that TrendMicro antiviruses identify as RANSOM.WIN32.DHARMA.THDAAAI.

The second file, named Defender_nt32_enu[.]exe, is instead an old version of ESET AntiVirus Remover software (although the victim only discovers it after starting the installation).

Once the two files have been downloaded, the encryption process of the files stored on the various storage devices connected to the victim’s computer starts automatically and in the background, while the installation of ESET AntiVirus Remover is also started at the same time.

The ESET on-screen graphical interface is, of course, only intended to distract the user while the ransomware completes its malicious action.

Furthermore, Dharma runs as a separate instance from the removal tool: in this way, the ransomware still ensures its installation and execution even if the user does not complete the installation of the ESET removal tool.

At the end of its malicious action, the Dharma ransomware will have encrypted all files with the following formats: .PNG .PSD .PSP .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV .DWG .DXF.GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX .INI .PRF .HQX .MIM .UUE .7Z. CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX. OBJR.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG, .BZ2, .1CD.

 

Tips to defend yourself

To defend the assets and the corporate perimeter from Dharma and other similar threats it is necessary to adopt some cybersecurity practices.

First of all, it is necessary to have backup procedures and systems that make copies that are not only local and, therefore, not rely solely on systems such as Microsoft’s Shadow Copy.

Considering that this type of ransomware does not seem to exploit specific vulnerabilities of the victim system, the classic defenses against phishing, spam and receiving spoofed e-mails remain valid.

A central system should be set up to collect information on suspicious e-mails.

This can be useful as a starting point for implementing additional defenses such as spam and phishing filters.

In case of suspicious attachments, it is recommended not to open them but to use sandboxing techniques to analyze their content.

In the case of suspicious e-mails/attachments, it is advisable to verify that the message was actually generated by a natural person who can be trusted using a different communication channel, such as the telephone.