DHARMA (CRYSIS) RANSOMWARE
Introduction
Dharma ransomware which is also known as Crysis made its first appearance in 2016 as it was being manually delivered by exploiting Remote Desktop Protocol (RDP) services via TCP port 3389 and then the target computer would be brute forced to gain access.
Attacks involving the Dharma ransomware have been frequent and have been recorded to target organisation of small – medium size from many countries including Russia, Japan, China, and India.
There is no decryptor for any of the active variants of the Dharma ransomware and the average ransom required is $5k in DASH which can be paid via provided email addresses in the ransomware note.
Modus Operandi
Initial access
The threat actor usually delivers Dharma by exploiting Remote Desktop Protocol (RDP) services via TCP port 3389 and brute force the password to gain access to a computer. Although there have been recorded cases of Dharma being distributed as malicious attachments in spam emails and disguised as installation files for legitimate software, including AV vendors. In the cases of it being delivered as a malicious attachment, Dharma uses double file extensions, which made it appear to be non-executable under default Windows settings. So, the victims are tricked into clicking it due to them thinking it is non-malicious as it seems to be non-executable.
Installation
As soon as Dharma Trojan dropper is executed, installs two files: ns.exe (a network enumeration and scanning tool) and processhacker.exe (System administrator tool). ns.exe is used to scan for network shares, open ports, and services which can used to move within the network. And processhacker.exe is used to disabling Antivirus software and other security services. Then the Dharma executable is dropped under the name of “winhost.exe” and creates a registry entry to sustain a presence in the system and then Dharma deletes all the Windows shadow copies by running the vssadmin.exe On some Windows versions, it has been observed that Dharma has also attempted to run itself with administrator privileges to find a longer list of files that can be encrypted.
Dharma attempts to propagate through the network by applying a Default Domain Policy via a compromised Domain controller that will run the “winhost.exe” on each machine that starts up.
Encryption
Dharma encrypts files in fixed, removable, and network drives using AES-256 combined with RSA-1024 asymmetric encryption algorithm.
Command and Control
The dropper may send information about compromised machines and encrypted files.
