sb-au logo
Story image

Sophos deconstructs Dharma, the 'fast food franchise' ransomware

14 Aug 2020

The Dharma ransomware family has been around since 2016 and is now one of the most profitable types of ransomware around because it has become a business tool for cybercriminals.

Cybersecurity firm Sophos describes the Dharma family as a mass-market, service-based ransomware business model – becoming one of several ransomware-as-a-service options. The

Dharma ransomware’s source code has also been shared amongst the criminal networks and split into many different variants.

According to Sophos’ Color by Numbers: Inside a Dharma Ransomware-as-a-Service Attack report, this ransomware primarily targets small and medium businesses (SMBs) – often with catastrophic results.

Sophos senior threat research Sean Gallagher describes Dharma as ‘fast food franchise’ ransomware because it’s widely available and allows almost anyone to conduct attacks.

The report notes research from Coveware, which shows that 85% of attacks in 2020 have targeted access tools such as remote desktop protocol.  On average, ransom demands can sit at around US$8620 (NZ$13,111) – a significant amount of financial losses for SMBs that go against public advice and end up paying the ransom.

“Right now, with many businesses adapting to the pandemic and accommodating a need for rapid support for remote workers, and IT staffs stretched thin, the risks from these attacks is magnified,” says Gallagher. 

“The need to equip and enable an unexpectedly remote workforce has left small companies with vulnerable infrastructure and devices and hindered the ability of IT support staff to adequately monitor and manage systems the way they normally would.”

Cybercriminals who purchase Dharma ransomware are known as affiliates. They primarily use a menu-driven PowerShell script that installs and launches the components required to spread ransomware across the target’s network, Sophos states. 

“Once criminals execute the master script, it identifies itself as ‘Toolbox’ and launches the attack with the message, ‘Have fun, bro!’

Sophos states that Dharma relies heavily on open source and free versions of commercial tools.

Further, data decryption after attack follows a two-stage process that doesn’t necessarily recover all data. 

“Targets that contact affiliates for recovery keys are given a first-stage tool that extracts details of all of their encrypted files. Affiliates then share this extracted data is with their operators, who provide a second-stage decryption key for the files. How effective this process is in actually restoring data for the targets depends greatly on the skills and mood of the affiliates, according to the research. For instance, Sophos occasionally observed affiliates holding back some of the keys as leverage to make additional ransom demands.”

Sophos shares the following tips for defending against Dharma ransomware strains:

  • Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks. If you need access to RDP, put it behind a VPN connection 
  • Check that you have a full inventory of all devices connected to your network and always install the latest security updates, as soon as they are released, on all the devices and servers on your network 
  • Keep regular backups of your most important and current data on an offline storage device 
  • A layered, defence-in-depth security model is essential.
Story image
High-tech heist: why fending off ransomware attacks is more challenging than ever in 2020
The COVID-19 crisis has unleashed a wave of sophisticated and disruptive ransomware attacks, and the onus is on businesses to ramp up their security measures if they’re to avoid falling victim, writes Attivo Networks regional director for A/NZ Jim Cook.More
Story image
Thales: A/NZ cybersecurity approach more talk than action
“While some organisations are talking a good story … predicted spending shows that most have the wrong focus.”More
Story image
Ripple20 threat could affect 35% of all IT environments – ExtraHop
The vulnerabilities have the potential to ‘ripple’ through complex software supply chains, enabling attackers to steal data or execute code.More
Story image
Shlayer malware proves Apple devices aren't as secure as you think
"Apple never talks about malware publicly, and loves to give the impression that its systems are secure. Unfortunately, the opposite has been proven to be the case with great regularity."More
Link image
How to better protect your organisation's most valuable asset - its data.
Data resilience strategies are becoming increasingly critical in relation to the skyrocketing value of data and the proliferation of malicious entities wishing to steal it.More
Story image
CrowdStrike integrates with ServiceNow program to bolster incident response
As part of the move, users can now integrate device data from the CrowdStrike Falcon platform into their incident response process, allowing for the improvement of both the security and IT operation outcomes.More