Barkly vs Malware
Barkly Research
Apr 2017

Blocking Dharma Ransomware Before it Encrypts Files

Dharma ransomware is a variant of CrySiS ransomware that has been increasingly tied to brute force RDP attacks. The good news is decryption tools are now available to help victims recover files encrypted by Dharma — and Barkly blocks Dharma before that step is even necessary.

Dharma ransomware overview

Dharma made its first appearance in November 2016, shortly after the master decryption keys for CrySiS ransomware were publicly posted to the BleepingComputer.com forum.

In addition to bearing technical similarities to CrySiS, Dharma has also been observed infecting victims in similar ways. Both have been tied to a recent spike in brute force attacks on victims with open remote desktop protocol (RDP) ports.

rdp-ransomware-map 2.png

Incidents of RDP ransomware attacks doubled in January 2017. / Trend Micro

According to Trend Micro, the most consistent target of those attacks has been helathcare providers in the United States. One Dharma victim, ABCD Children's Pedatrics in San Antonio, was forced to notify 55,447 patients that their personal data had been encrypted and therefore potentially exposed to hackers.

dharma-ransomware-encrypted-files.jpg

Files encrypted by Dharma ransomware. / Bleeping Computer

Dharma has been seen renaming encrypted files with the following extensions:

  • .dharma
  • .wallet
  • .zzzzz

Other versions have been seen appending an email address (typically <email>@india.com) to encrypted files, which victims are encouraged to write to in order to receive ransom instructions.

  • [filename].[email_address].dharma

According to Bleeping Computer, a partial list of these addresses includes:

.[3angle@india.com].dharma
.[amagnus@india.com].dharma
.[base_optimal@india.com].dharma
.[bitcoin143@india.com].dharma
.[blackeyes@india.com].dharma
.[doctor.crystal@mail.com].dharma
.[dr_crystal@india.com].dharma
.[emmacherry@india.com].dharma
.[google_plex@163.com].dharma
.[mr_lock@mail.com].dharma
.[opened@india.com].dharma
.[oron@india.com].dharma
.[payforhelp@india.com].dharma
.[savedata@india.com].dharma
.[singular@india.com].dharma
.[suppforhelp@india.com].dharma
.[SupportForYou@india.com].dharma
.[tombit@india.com].dharma
.[worm01@india.com].dharma
Dharma-ransomware-screen.png

Dharma ransom screen. / Sensors Tech Forum

Once infected, victims are presented with a ransom note that instructs them to email the criminals for further instructions. To frighten victims into acting quickly, the note suggests the price of the ransom depends on how fast they respond.

The note also offers a "free decryption as guarantee" option, providing victims the chance to have up to three files decrypted for free (as long as they don't contain any valuable information and are less than 10Mb, total).

Free decryption tool available for .dharma version

Luckily, victims who have been hit with the .dharma variant don't have to negotiate with these criminals or settle on decrypting just three files for free. That's because, on March 1, 2017, the master decryption keys for Dharma were surprisingly released on a Bleeping Computer forum — just like what happened with CrySiS ransomware back in November.

The keys were in turn provided to antivirus vendor Kaspersky, and by utilizing them, they were able to update their RakhniDecryptor tool to successfully decrypt files encrypted by Dharma.

kasperky-rakhni-decryptor-tool.jpg

With the latest version of the decryptor tool, victims can have their computers scanned for encrypted files, which the tool will then decrypt.

Note: Unfortunately, files encrypted with the .wallet version of Dharma are not currently decryptable.

While the decryptor tool does allow victims to regain access to their files by providing them with decrypted copies, it should be pointed out that the original encrypted files are left behind.

dharma-ransomware-decrypted-files.jpg

Decrypted files alongside the still-encrypted copies. / Bleeping Computer

That means additional clean up is necessary. In other cases of ransomware like Virlock, it can also pose a threat of repeat infection (in addition to encrypting files, Virlock infects them so if any of them are opened the infection starts all over again).

Victims can certainly be thankful for decryption tools as last resorts, but, as always, the best way to protect yourself from ransomware is to prevent infections in the first place.

Update: The .wallet version of Dharma is unfortunately still active and dangerous

As noted above, decryption tools currently do not work on files encrypted and renamed with the .wallet extension, unfortunately.

And according to security researcher Michael Gillespie (one of the creators of ID Ransomware), hundreds of new .wallet infections continue to be reported every week.

Dharma-ransomware-wallet-activity.jpg

Last 30 days of .wallet submissions to ID Ransomware

Stopping Dharma ransomware before it encrypts files with Barkly's Runtime Malware Defense

Barkly stops Dharma ransomware infections before files are encrypted or any other damage is done (see it in action in the video above). By monitoring activity across mulitple layers of the system in real-time, Barkly can see when malware like Dharma is attempting to gain execution by suspicious means and stop it before it does.

Why blocking malware during runtime matters

By detecting and blocking malicious behaviors in real-time, Barkly is able to stop malware regardless of how well it was disguised. It may be a brand new variant that no AVs have signatures for, or it may utilize fileless techniques to bypass file scanning altogether. It doesn't matter. Once it tries to do something malicious, Barkly sees it and stops it.

That gives organizations crucial protection they're currently missing — another opportunity to block attacks that exploit vulnerabilities, even after they've bypassed other defenses.

Barkly Research

Barkly Research

Barkly's malware research team is hard at work stopping new malware that sneaks past antivirus.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends stright to your inbox.