Tuesday, March 19, 2024

Dangerous Dharma Ransomware Attack Emerged Again in Wide with New Variant & Extension

Re-emerging Dharma Ransomware distributed with new variant that developed to attack various organisation and individual systems and encrypting the victim files to demand the ransom amount.

It added various futures and tactics to infiltrate the victims computer when compare old version of Dharma Ransomware.

Unlike old version, it using various infections vectors such as Spam and phishing emails, Exploit Kits, SMB vulnerabilities and dropped by other malware.

Old variant of Dharma Ransomware appends the .dharma extension but newly emerged variant change the files using .arrow extension after completing the encryption.

There are two main types infection vectors which mainly used by the Dharma Ransomware.

  • RDP Brute Force Attack
  • Other Suspicious means

Attackers targeting RDP Protocol that running on the port 3389 and  brute force attack to gain the administrative credentials and later the obtain to perform various malicious activities with in the system.

Other suspicious activities comes under the chain of attacks that perform various modification in system registry once it get executed and autorun PowerShell script entries in the registry that leads to drop the and execute multiple malicious components.

Also Read:  New Ransomware Called “BlackRouter” Attack launched through Well-known Legitimate Remote Desktop Tool

Dharma Ransomware Infection Process

Once the Ransomware variant executed into the system, it deploy the component and generate a registry entries.

A main component called inf.exe which mimics as genuine Microsoft Corporations dllhost file that will enable the Remote Desktop Protocol (RDP) on the victim’s machine.

Later it create a new used once it enabled the RDP from hard-coded username list and and randomly generates a password for it.

According to Quick Heal Security Labs, Once the variant collect the information then it establish the connection into command & control server and share the username and password that created for new account including the vulnerable system that founded within the infected system network.

Later it receive the main Payload called rc.exe which is , Dharma ransomware and it start the encryption process with in the infected victims.

It will encrypt various file extensions such as image, videos, audio, video and other sensitive file and appends the extension ‘.arrow’ to the files it encrypts.

Finally a ransom note files will be dropped in .hta format which contains the clear information about the infection and payment details.

Infected victims are requested to contact the specific Email address ([email protected]) to get the decryption key to unlock the files.

Cyber criminals demand the payment via bitcoin and they forced victims to contact them with in 24 hour to reduce the ransom payment.

Dharma Ransomware about to encrypt the Following file extension .

.PNG .PSD .PSP .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV .DWG .DXF.GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX .INI .PRF .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJR.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG, .BZ2, .1CD”

Website

Latest articles

E-Root Admin Sentenced to 42 Months in Prison for Selling 350,000 Credentials

Tampa, FL – In a significant crackdown on cybercrime, Sandu Boris Diaconu, a 31-year-old...

WhiteSnake Stealer Checks for Mutex & VM Function Before Execution

A new variant of the WhiteSnake Stealer, a formidable malware that has been updated...

Researchers Hack AI Assistants Using ASCII Art

Large language models (LLMs) are vulnerable to attacks, leveraging their inability to recognize prompts...

Microsoft Deprecate 1024-bit RSA Encryption Keys in Windows

Microsoft has announced an important update for Windows users worldwide in a continuous effort...

Beware Of Free wedding Invite WhatsApp Scam That Steal Sensitive Data

The ongoing "free wedding invite" scam is one of several innovative campaigns aimed at...

Hackers Using Weaponized SVG Files in Cyber Attacks

Cybercriminals have repurposed Scalable Vector Graphics (SVG) files to deliver malware, a technique that...

New Acoustic Keyboard Side Channel Attack Let Attackers Steal Sensitive Data

In recent years, personal data security has surged in importance due to digital device...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles