What is Dharma Ransomware?

With the ever-increasing rate of cyber threats, the number of Ransomware has also been on the rise, and one such Ransomware is the Dharma Ransomware. In this article, we will discuss more on Ransomware and how they work.

What is Ransomware?

Ransomware is a virus that encrypts a victim's data and holds it hostage. An organisation’s essential data is encrypted, making it impossible to access files, databases, or apps. After that, a ransom is demanded to acquire access.

  • Ransomware is frequently designed to propagate over a network and target database and file servers, paralysing a whole enterprise in the process. It's a growing menace that generates billions of dollars in payouts to hackers while causing considerable damage to businesses and government agencies.

  • Ransomware uses asymmetric encryption. This type of encryption encrypts and decrypts a file using a pair of keys. The attacker generates a unique public-private pair of keys for the victim, with the private key used to decrypt files saved on the attacker's server. The attacker usually only gives the victim the private key once the ransom is paid; but as recent ransomware operations have shown, this is not always the case. It's nearly hard to decode the files being held for ransom without access to the private key.

There are many types of Ransomware and Dharma Ransomware is one.

Dharma Ransomware

Dharma Ransomware encrypts user data and demands a ransom for the key to decrypt them. The malware is manually transmitted by attackers who use Remote Desktop Protocol (RDP) services over TCP port 3389 to obtain a computer and brute-force the password.

  • In a Dharma Ransomware attack, the files on unprotected mapped network devices shared virtual machine host drives, and unmapped network shares are encrypted with AES. A ransom message is appended to encrypted text files, such as FILES ENCRYPTED.txt or Info.hta, with a contact email address supplied to relay payment instructions.

  • Dharma ransomware (also known as CrySiS) is a type of Ransomware delivered manually by hackers using Remote Desktop Protocol (RDP) connections, usually by exploiting compromised or weak credentials.

  • Once launched, the virus decrypts strings containing the names of the imported functions using the RC4 encryption technique. The RC4 key is 128-bytes long. During runtime linking, the decrypted strings are used to retrieve the addresses of imported functions. The strings required for code execution are decrypted using the same encryption algorithm (RC4).

Dharma Ransomware Demand: How Much Do They Cost?

Payments for Dharma ransomware are lower than the industry average. This is due to the individualised character of the attacks and the manual syndication of ransom payment collection used by most Dharma hackers.

Dharma is well-known for attacking small businesses on a large scale. According to statistics, the average ransom price is roughly $6500.

How the Dharma Ransomware is Deployed?

The attack vector for most Dharma Ransomware infections is Remote Desktop Protocol (RDP) access. This is due to the widespread use of insecure RDP ports and the simplicity with which Ransomware distributors may brute-force credentials or buy them on the dark web.

  • Dharma Ransomware is a severe threat to companies who enable employees or contractors to access their networks via remote access without taking the necessary precautions.

  • Unfortunately, the used encryption strategy, which uses both symmetric (AES-256-CBC) and asymmetric (RSA-1024) encryption, does not allow victims to unlock the data without paying a ransom.

  • Dharma ransomware copies itself to Startup directories, adds references to autorun keys, and terminates database processes and services to open database files. These methods allow attackers to inflict more severe damage on affected computers.

Updated on: 16-Feb-2022


Kickstart Your Career

Get certified by completing the course

Get Started