Re-emerging Dharma Ransomware distributed with new variant that developed to attack various organisation and individual systems and encrypting the victim files to demand the ransom amount.
It added various futures and tactics to infiltrate the victims computer when compare old version of Dharma Ransomware.
Unlike old version, it using various infections vectors such as Spam and phishing emails, Exploit Kits, SMB vulnerabilities and dropped by other malware.
Old variant of Dharma Ransomware appends the .dharma extension but newly emerged variant change the files using .arrow extension after completing the encryption.
There are two main types infection vectors which mainly used by the Dharma Ransomware.
- RDP Brute Force Attack
- Other Suspicious means
Attackers targeting RDP Protocol that running on the port 3389 and brute force attack to gain the administrative credentials and later the obtain to perform various malicious activities with in the system.
Other suspicious activities comes under the chain of attacks that perform various modification in system registry once it get executed and autorun PowerShell script entries in the registry that leads to drop the and execute multiple malicious components.
Dharma Ransomware Infection Process
Once the Ransomware variant executed into the system, it deploy the component and generate a registry entries.
A main component called inf.exe which mimics as genuine Microsoft Corporations dllhost file that will enable the Remote Desktop Protocol (RDP) on the victim’s machine.
Later it create a new used once it enabled the RDP from hard-coded username list and and randomly generates a password for it.
According to Quick Heal Security Labs, Once the variant collect the information then it establish the connection into command & control server and share the username and password that created for new account including the vulnerable system that founded within the infected system network.
Later it receive the main Payload called rc.exe which is , Dharma ransomware and it start the encryption process with in the infected victims.
It will encrypt various file extensions such as image, videos, audio, video and other sensitive file and appends the extension ‘.arrow’ to the files it encrypts.
Finally a ransom note files will be dropped in .hta format which contains the clear information about the infection and payment details.
Infected victims are requested to contact the specific Email address (badfail@qq.com) to get the decryption key to unlock the files.
Cyber criminals demand the payment via bitcoin and they forced victims to contact them with in 24 hour to reduce the ransom payment.
Dharma Ransomware about to encrypt the Following file extension .
.PNG .PSD .PSP .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV .DWG .DXF.GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX .INI .PRF .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJR.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG, .BZ2, .1CD”