Originally an offshoot of CrySiS, the Dharma ransomware family has brought forth a new variant, as part of its ongoing creation of new strains. In this blog post, we analyze the latest variant found in the wild by malware researcher Jakub Kroustek.
Cymulate customers can check if they are vulnerable to this threat by running an Immediate Threat Intelligence simulation of this variant, uploaded to the dashboard on 28th July 2019. (Login to the dashboard here.)
Dharma has been operating since 2016 and the threat actors behind the ransomware continue to release new variants, the latest of which is currently not decryptable. You can keep apprised if the key to this latest variant has been uncovered at NoMoreRansomware.org.
This Dharma variant encrypts files and adds the extension, .nqix, which is completely different from the Dharma extensions seen to date; a tell-tale sign that it’s a new variant in the wild. It was also clear by the file’s signature that it’s a new Dharma strain.
The latest variant works like any other standard ransomware. As soon as the user executes the ransomware executable, the variant starts encrypting all the system’s files. All encrypted files are given the specific variant’s file extension, .nqix.
As with other run-of-the-mill ransomware, this Dharma strain removes the option to restore local system backups, called “shadow copies.” Most, if not all, ransomware variants do this, to make it impossible for victims to restore their systems without paying ransom to the threat actors behind the attack. Therefore, it is important for organizations to ensure they have offline backups, to enable resilience and business continuity in the event that they are affected by such ransomware attacks.
Like most ransomware strains, this one does not have lateral movement capabilities (unlike WannaCry), so it cannot move from one machine to another, and cannot infect additional workstations on the network.
Finally, judging from how this variant was written, it does not seem that the threat actor has a great degree of skill or sophistication. The variant is still effective, but it is rather simple, and does not seem to be written by a ‘professional.’
Dharma is usually disseminated via phishing. Not found in this specific variant, it notoriously lured users into installing the ransomware by offering to uninstall the ESET anti-virus from their system. The group’s use of a genuine, albeit old, ESET remover (opposite of installer) lent credibility to their attack. Distracted by their wish to remove the AV, users would not only remove ESET from their system, but also simultaneously execute the Dharma ransomware on their system, leading to its immediate encryption.
Dharma’s ransom note is shown above
The Any.run sandbox analysis session can be found here: https://app.any.run/tasks/c4a560dd-b21d-44f8-a8bf-8b007a80f1e3
The following is the Any.run analysis action tree (attack story):
The Any.run analysis mapped the following MITRE ATT&CK™ techniques used in this ransomware:
Deep-dive Dharma Malware Analysis
The above screenshot shows Dharma’s decryption process on potential victim’s system.
The above screenshot shows Dharma’s listing of logical drives and their encryption.
The above screenshot shows Dharma’s encryption flow, including the file extensions targeted for encryption.
The above screenshot shows where Dharma stops services and closes processes.
Mitigation and Countermeasures
Indicators of Compromise
Monitor the following indicators of compromise (IOCs) on your SIEM system and make sure they are blocked in all relevant security controls (AV, EDR, Email Gateway, etc.):
To know if your organization is vulnerable to Dharma, and the very latest Immediate Threats circulating in the wild, including ransomware, worms, Trojans and cryptominers and more, get started with Cymulate’s Breach and Attack Simulation. Download the brochure, or sign up for a free trial here: https://cymulate.com/free-trial/
Our highly experienced and diverse researchers are fluent in security intelligence practices, combining expertise in private security, military, and intelligence experience. Continuously examining the cyber-threat landscape, our experts deliver in-depth visibility into today’s threats and the actors behind them.