Dharma RaaS Ransomware - Major Threat to Small Business

7541041283?profile=RESIZE_400xSmall and Medium (SMB) sized businesses are facing a growing number of ransomware threats as the programs needed to launch such attacks become more widespread and easier to use.  Also known as the “fast food franchise of cybercrime,” Ransomware-as-a-Service (RaaS) enables even low-level and inexperienced hackers to purchase a ready-made solution for attacking small and medium-sized businesses.[1]

The malicious group named Dharma as one of the most popular offerings around, explaining it provides a “paint by numbers” solution that cybercriminals already use to extort millions of dollars from businesses.  In most cases, it is the use of remote desktop software that serves as a point of ingress for hackers who then steal, encrypt, and hold for ransom files that are critical to a company’s operation or contain proprietary information that businesses are willing to pay for to keep private.

The CoronaVirus pandemic left thousands of businesses scrambling to hastily implement remote working protocols, resulting in the widespread adoption of remote access software, but are not certainly the right practices for ensuring its secure use.  As a result, the use of ransomware has skyrocketed in recent months, leaving many SMBs paying increasingly larger amounts of cash to recover sensitive or mission-critical information.

A new study from Sophos describes how the Dharma RaaS model offers low-skilled hackers the ability to profit from attacks on unprotected small businesses.  These same small businesses and municipalities lack both the staff and systems/services to block such attacks.  While other ransomware variants, such as Maze and Sodinokibi, have grabbed media attention with large-scale attacks and multimillion-dollar payouts, the operators of Dharma and their affiliates have focused on getting many smaller ransom payments from more victims that lack sufficient security measures.

In December 2019, when the average ransomware demand had surged to $191,000, the average Dharma ransom demand was only $8,620.  That was due to the kinds of victims targeted by Dharma which were small and midsized businesses.   The operators behind Dharma work on developing the malware, maintaining the infrastructure, and facilitating payments.  They give affiliates with little skills a toolset to compromise the victims and run the attack.

Dharma's RaaS offerings expand the skill range of people who can execute devastating ransomware attacks.  Dharma, formerly called CrySis[2] (a play on a popular video game), has a large menu of variants and a criminal ecosystem for the RaaS offering.  " 'Affiliates' (often entry-level cybercriminals) pay for the use of the RaaS and carry out the targeted attacks themselves, using a standard toolkit," says Sophos.  "Other actors provide stolen credentials and other tools on criminal forums that enable the Remote Desktop Protocol (RDP) attacks that are the predominant means of initial compromise for Dharma actors."  The Sophos report notes that about 85 percent of all Dharma attacks spotted this year started with the hackers taking advantage of vulnerabilities in RDP, a proprietary Microsoft communications protocol that enables system administrators and employees to connect to corporate networks from remote computers.

Dharma's owners do not allow affiliates to have full control over the decryptor keys, according to the Sophos report.  "Victims who contact the attackers are given a first-stage tool that extracts information about the files that were encrypted into a text file.  That text file gets pasted into an email and is sent back to the affiliates - who then have to submit that data through a portal for the RaaS to obtain the actual keys."

Once their payment to the main criminal gang has been received, a typical Dharma affiliate will get access to a toolkit containing the malware and instructions for performing an attack.  The affiliate receives a menu-driven PowerShell script that installs and launches the components required to spread ransomware across the network.  When the RDP connection is made with the victim, the toolkit, which resides as a directory on the threat actor's computer, is mapped to the target network as an accessible network drive.

The directory contains several applications, such as the Mimikatz password extraction tool, customized hacking tools, and freeware versions of a variety of legitimate system utilities along with the Dharma ransomware executable files.

Many Dharma attacks can be stopped by ensuring RDP servers are patched and secured behind a VPN with multifactor authentication.  Businesses can thus greatly reduce the probability of having to pay out thousands of dollars to cybercriminals by enforcing strong password management and multi-factor authentication, setting up a business VPN, and providing simple but effective security training to employees at all levels.

The RaaS model provides an off-the-shelf alternative for hackers and cybercriminals looking to wreak havoc and greatly reduces the skill and knowledge required to attack businesses.

Red Sky Alliance has been has analyzing and documenting cyber threats for 9 years and maintains a resource library of malware and cyber actor reports.  The installation, updating and monitoring of firewalls, cybersecurity, and proper employee training are keys to blocking attacks.  Red Sky Alliance also offers ransomware insurance protection through Cysurance to help SMB’s quickly get back on their feet.  Please feel free to contact our analyst team for research assistance, Cyber Threat Analysis, or Cyber Insurance protection for your SMB organization.

What can you do to better protect your organization today?

  • All data in transmission and at rest should be encrypted.
  • Proper data back-up and off-site storage policies should be adopted and followed.
  • Implement 2-Factor authentication company-wide.
  • Join and become active in your local Infragard chapter, there is no charge for membership. infragard.org
  • Update disaster recovery plans and emergency procedures with cyber threat recovery procedures. And test them.
  • Institute cyber threat and phishing training for all employees, with testing and updating.
  • Recommend/require cybersecurity software, services, and devices to be used by all at home working employees and consultants.
  • Review and update your cyber threat and information security policies and procedures. Make them a part of all emergency planning and training.
  • Ensure that all software updates and patches are installed immediately.
  • Enroll your company/organization in RedXray for daily cyber threat notifications are directed at your domains. RedXray service is $500 a month and provides threat intelligence on nine (9) cyber threat categories including Keyloggers, with having to connect to your network.  Ransomware protection is included at no charge for RedXray customers.
  • Purchase annual cyber insurance coverage from Red Sky Alliance provided by Cysurance.

Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives.  Internal monitoring is common practice.  However, external threats are often overlooked and can represent an early warning of impending attacks. 

Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.

Red Sky Alliance is in New Boston, NH USA. We are a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

[1] https://news.sophos.com/en-us/2020/08/12/color-by-numbers-inside-a-dharma-ransomware-as-a-service-attack/

[2] https://www.videogameschronicle.com/news/delayed-crysis-remastered-is-reportedly-hitting-ps4-this-week/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!