Friday, November 1, 2024
HomeCryptocurrency hackDangerous Dharma Ransomware Attack Emerged Again in Wide with New Variant &...

Dangerous Dharma Ransomware Attack Emerged Again in Wide with New Variant & Extension

Published on

Malware protection

Re-emerging Dharma Ransomware distributed with new variant that developed to attack various organisation and individual systems and encrypting the victim files to demand the ransom amount.

It added various futures and tactics to infiltrate the victims computer when compare old version of Dharma Ransomware.

Unlike old version, it using various infections vectors such as Spam and phishing emails, Exploit Kits, SMB vulnerabilities and dropped by other malware.

- Advertisement - SIEM as a Service

Old variant of Dharma Ransomware appends the .dharma extension but newly emerged variant change the files using .arrow extension after completing the encryption.

There are two main types infection vectors which mainly used by the Dharma Ransomware.

  • RDP Brute Force Attack
  • Other Suspicious means

Attackers targeting RDP Protocol that running on the port 3389 and  brute force attack to gain the administrative credentials and later the obtain to perform various malicious activities with in the system.

Other suspicious activities comes under the chain of attacks that perform various modification in system registry once it get executed and autorun PowerShell script entries in the registry that leads to drop the and execute multiple malicious components.

Also Read:  New Ransomware Called “BlackRouter” Attack launched through Well-known Legitimate Remote Desktop Tool

Dharma Ransomware Infection Process

Once the Ransomware variant executed into the system, it deploy the component and generate a registry entries.

A main component called inf.exe which mimics as genuine Microsoft Corporations dllhost file that will enable the Remote Desktop Protocol (RDP) on the victim’s machine.

Later it create a new used once it enabled the RDP from hard-coded username list and and randomly generates a password for it.

According to Quick Heal Security Labs, Once the variant collect the information then it establish the connection into command & control server and share the username and password that created for new account including the vulnerable system that founded within the infected system network.

Later it receive the main Payload called rc.exe which is , Dharma ransomware and it start the encryption process with in the infected victims.

It will encrypt various file extensions such as image, videos, audio, video and other sensitive file and appends the extension ‘.arrow’ to the files it encrypts.

Finally a ransom note files will be dropped in .hta format which contains the clear information about the infection and payment details.

Infected victims are requested to contact the specific Email address (badfail@qq.com) to get the decryption key to unlock the files.

Cyber criminals demand the payment via bitcoin and they forced victims to contact them with in 24 hour to reduce the ransom payment.

Dharma Ransomware about to encrypt the Following file extension .

.PNG .PSD .PSP .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV .DWG .DXF.GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX .INI .PRF .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJR.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG, .BZ2, .1CD”

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS...

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch...

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan...

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hackers Use Fog Ransomware To Attack SonicWall VPNs And Breach Corporate Networks

Recent cyberattacks involving Akira and Fog threat actors have targeted various industries, exploiting a...

Four Evil Ransomware Operators Sentenced For Hacking Enterprises

The St. Petersburg Garrison Military Court has sentenced four individuals involved in a notorious...

Dark Angels Ransomware Attacking Windows And Linux/ESXi Systems

The sophisticated ransomware group Dark Angels, active since 2022, targets large companies for substantial...