sb-eu logo
Story image

Sophos deconstructs Dharma, the 'fast food franchise' ransomware

14 Aug 2020

The Dharma ransomware family has been around since 2016 and is now one of the most profitable types of ransomware around because it has become a business tool for cybercriminals.

Cybersecurity firm Sophos describes the Dharma family as a mass-market, service-based ransomware business model – becoming one of several ransomware-as-a-service options. The

Dharma ransomware’s source code has also been shared amongst the criminal networks and split into many different variants.

According to Sophos’ Color by Numbers: Inside a Dharma Ransomware-as-a-Service Attack report, this ransomware primarily targets small and medium businesses (SMBs) – often with catastrophic results.

Sophos senior threat research Sean Gallagher describes Dharma as ‘fast food franchise’ ransomware because it’s widely available and allows almost anyone to conduct attacks.

The report notes research from Coveware, which shows that 85% of attacks in 2020 have targeted access tools such as remote desktop protocol.  On average, ransom demands can sit at around US$8620 (NZ$13,111) – a significant amount of financial losses for SMBs that go against public advice and end up paying the ransom.

“Right now, with many businesses adapting to the pandemic and accommodating a need for rapid support for remote workers, and IT staffs stretched thin, the risks from these attacks is magnified,” says Gallagher. 

“The need to equip and enable an unexpectedly remote workforce has left small companies with vulnerable infrastructure and devices and hindered the ability of IT support staff to adequately monitor and manage systems the way they normally would.”

Cybercriminals who purchase Dharma ransomware are known as affiliates. They primarily use a menu-driven PowerShell script that installs and launches the components required to spread ransomware across the target’s network, Sophos states. 

“Once criminals execute the master script, it identifies itself as ‘Toolbox’ and launches the attack with the message, ‘Have fun, bro!’

Sophos states that Dharma relies heavily on open source and free versions of commercial tools.

Further, data decryption after attack follows a two-stage process that doesn’t necessarily recover all data. 

“Targets that contact affiliates for recovery keys are given a first-stage tool that extracts details of all of their encrypted files. Affiliates then share this extracted data is with their operators, who provide a second-stage decryption key for the files. How effective this process is in actually restoring data for the targets depends greatly on the skills and mood of the affiliates, according to the research. For instance, Sophos occasionally observed affiliates holding back some of the keys as leverage to make additional ransom demands.”

Sophos shares the following tips for defending against Dharma ransomware strains:

  • Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks. If you need access to RDP, put it behind a VPN connection 
  • Check that you have a full inventory of all devices connected to your network and always install the latest security updates, as soon as they are released, on all the devices and servers on your network 
  • Keep regular backups of your most important and current data on an offline storage device 
  • A layered, defence-in-depth security model is essential.
Story image
Kaspersky releases new report on consumer’s approach to digital services
COVID-19 related restrictions and the necessity to stay indoors has influenced the way people approach digital services, making them more aware of how securely both they, and their housemates, use the internet.More
Story image
Radware issues security alert, warning of global rise of DDoS-for-hire
Efforts from corporations, law enforcement and independent researchers around the world have attempted in the last two years to curb this growth – but the industry keeps growing says Radware information security researcher Daniel Smith.More
Story image
Ripple20 threat has potential for 'vast exploitation', ExtraHop researchers find
One in three IT environments are vulnerable to a cyber threat known as Ripple20. This is according to a new report from ExtraHop, a cloud-native network detection and response solutions provider. More
Story image
The guide to digital security in unstable times
An increase in vulnerability across different sectors has meant that 2020 has seen more than its fair share of cybersecurity incidents. One of the most effective ways to combat the perils of today’s cyber-threats is to gain a better knowledge of the threat vectors looming over the heads of organisations. More
Story image
BT Security shakes up roster of vendors after 'largest ever' partner review
BT says the decision to review their security partner base was driven by the recognition that many customers find it difficult to navigate today’s complex security landscape, as well as customers’ desire to have a ‘leaner set of partners’.More
Story image
Revealed: The behaviours exhibited by the most effective CISOs
As cyber-threats pile up, more is being asked of CISOs - and according to Gartner, only a precious few are 'excelling' by the standards of their CISO Effectiveness Index.More