sb-au logo
Story image

Sophos deconstructs Dharma, the 'fast food franchise' ransomware

14 Aug 2020

The Dharma ransomware family has been around since 2016 and is now one of the most profitable types of ransomware around because it has become a business tool for cybercriminals.

Cybersecurity firm Sophos describes the Dharma family as a mass-market, service-based ransomware business model – becoming one of several ransomware-as-a-service options. The

Dharma ransomware’s source code has also been shared amongst the criminal networks and split into many different variants.

According to Sophos’ Color by Numbers: Inside a Dharma Ransomware-as-a-Service Attack report, this ransomware primarily targets small and medium businesses (SMBs) – often with catastrophic results.

Sophos senior threat research Sean Gallagher describes Dharma as ‘fast food franchise’ ransomware because it’s widely available and allows almost anyone to conduct attacks.

The report notes research from Coveware, which shows that 85% of attacks in 2020 have targeted access tools such as remote desktop protocol.  On average, ransom demands can sit at around US$8620 (NZ$13,111) – a significant amount of financial losses for SMBs that go against public advice and end up paying the ransom.

“Right now, with many businesses adapting to the pandemic and accommodating a need for rapid support for remote workers, and IT staffs stretched thin, the risks from these attacks is magnified,” says Gallagher. 

“The need to equip and enable an unexpectedly remote workforce has left small companies with vulnerable infrastructure and devices and hindered the ability of IT support staff to adequately monitor and manage systems the way they normally would.”

Cybercriminals who purchase Dharma ransomware are known as affiliates. They primarily use a menu-driven PowerShell script that installs and launches the components required to spread ransomware across the target’s network, Sophos states. 

“Once criminals execute the master script, it identifies itself as ‘Toolbox’ and launches the attack with the message, ‘Have fun, bro!’

Sophos states that Dharma relies heavily on open source and free versions of commercial tools.

Further, data decryption after attack follows a two-stage process that doesn’t necessarily recover all data. 

“Targets that contact affiliates for recovery keys are given a first-stage tool that extracts details of all of their encrypted files. Affiliates then share this extracted data is with their operators, who provide a second-stage decryption key for the files. How effective this process is in actually restoring data for the targets depends greatly on the skills and mood of the affiliates, according to the research. For instance, Sophos occasionally observed affiliates holding back some of the keys as leverage to make additional ransom demands.”

Sophos shares the following tips for defending against Dharma ransomware strains:

  • Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks. If you need access to RDP, put it behind a VPN connection 
  • Check that you have a full inventory of all devices connected to your network and always install the latest security updates, as soon as they are released, on all the devices and servers on your network 
  • Keep regular backups of your most important and current data on an offline storage device 
  • A layered, defence-in-depth security model is essential.