Viruses like Dharma (also called ransomware ) have taken hold and spread like wildfire, especially in 2020. In 2021, the trend has continued, and ultimately, ransomware is establishing itself as the most dangerous and harmful malware. Ransomware attacks in 2020 had their point of maximum danger and expansion in March, April, May and June. This period coincides exactly with the diffusion of the directives issued by the government for the outbreak of the Covid 19 Pandemic. In those months, many companies and businesses introduced the smart working solution as a new operating model.
The introduction of remote working has wreaked havoc within computer systems, exposing their security vulnerabilities. Many malware took advantage of the exposure to attack the networks of many companies with truly alarming results: Dharma ransomware was the type of malware to have caused the most damage ever.
Dharma Ransomware Or Dharma Cryptolocker
What Is That?
Dharma CryptoLocker or Dharma ransomware is the malware that caused about 1/4 of ransomware attacks in Italy in 2020 and early 2021. However, the malware is not as “young” as one might think. Its origins date back to early 2016, when the Trend Micro team first detected the infection. The peculiarity of the virus detected from the first moment is that Dharma manages in complete autonomy to install itself on the victim’s device together with legitimate software.
Like all ransomware, Dharma is malware programmed to install itself on a device (server or PC in general) and encrypt all its contents using asymmetric encryption. When the ransomware comes into contact with any computer resource (file or folder), it renames it, changes its extension and makes it unreadable and, even worse, inaccessible. Once the virus has completed this encryption phase, it moves on to provide you with the ransom note.
Unlike other ransomware, including the legendary Cryptolocker, Dharma Ransomware does not also replace the desktop background of your PC but forwards the ransom request via a text file called: Readme.txt. The ransom demand of Dharma Cryptolocker, according to statistics, is lower than that of its other peers but also because, notoriously, The Dharma virus affects small businesses.
How Dharma Ransomware Spreads
The vast majority of Dharma virus attacks spread through 3 ways:
- Remote Desktop Protocol Attacks
- Sending emails to convince the victim to update their Antivirus Software
- Sending of infected emails via PEC
Below we briefly analyze the three virus spreading techniques:
Via Remote Desktop service
The RDP attack vector is a favorite of Dharma malware as these technologies often have a poor level of protection. In addition, remote desktop connection services are accessible through authentication (via credentials). Since these services were widely exploited during the Covid-19 pandemic, hackers used brute force attacks to force users’ weak credentials and log in. network via RDP. Once on the net, the ransomware installed itself and began its work.
Via Antivirus Update Email
The team of hackers following the development of Dharma resorts to sending spam emails to infect its victims. The subject of the email is almost always related to updating your antivirus. The subject of the email is Msc-Alert – Important! In the attached image, you can have a clear example of an email sent by Dharma ransomware. The message invites the victim user to click on the Download button to update and verify the antivirus functionality.
This is a beautiful and good deception, considering that when the user clicks on the content of the email, the Defender.exe file is automatically downloaded, followed by two other files: it is the payload of the Dharma virus. When all three files are finally on the device, the virus begins encrypting the contents. The ransomware manages to trick the user’s attention by showing him a fake Antivirus Remover screen. This allows Dharma to complete his work while remaining completely silent.
By Certified Email
As with much other ransomware, the Dharma virus can also spread among victims via certified email ( PEC ). The mechanism for installing and distributing the malware is the same as for the normal email message.
How To Identify Dharma Cryptolocker
Dharma virus is unique of its kind; therefore, recognizing it is not a complex job at all: even if we hope that this misfortune never, ever hits you. However, if Dharma has hit your company, you will see a message like this appear on your computer screen: All your files have been encrypted! The malware alert that appears will look like this: The most common message sent by Dharma Cryptolocker is the one attached in the image above. The text is divided into four sections of different colors, and all contain specific information.
The First White Section
The victim is informed that his files have all been encrypted. You are asked to send an email to the email address provided and enter your unique ID in the message’s subject. This is because the threat author will have to identify them. It is specified that the victim will have to pay the ransom in Bitcoin, and the amount due will change depending on how quick you are to respond to the hacker. After the payment, the attacker will return a tool to decrypt the stolen files.
The Second Blue Section: Free Decryption As A Guarantee
The hacker gives the option to decrypt a file for free as proof. This process confirms to the victim that after paying, they will get the decryption tool for real.
The Third Blue Section: How To Get Bitcoin
How to get the amount in Bitcoin to pay Dharma Cryptolocker? The attacker explains it to you in this section.
The Fourth Red Section: Warning!
Otherwise defined the hacker threat section. Through these 3 points, the attacker explains what it is better not to do: penalty, the deletion of your files. “Do not rename encrypted files.”
“Don’t try to decrypt your data using third-party software. It could cause permanent data loss. ”
“Decrypting your files with the help of third parties can cause a price increase (they add their price to ours), or you can become the victim of a scam.”
But that’s not all: the ransomware encrypts all files with the following formats:
.png .psd .psp .tga .thm .tif .tiff .yuv .ai .eps .ps .svg .indd .pct .pdf .xlr .xls .xlsx .accdb .db .dbf .mdb .pdb .sql .apk .app .bat .cgi .com .exe .gadget .jar .pif .wsf .dem .gam .nes .rom .sav .dwg .dxf.gpx .kml .kmz .asp .aspx .cer .cfm .csr .css .htm .html .js .jsp .php .rss .xhtml. doc .docx .log .msg .odt .pages .rtf .tex .txt .wpd .wps .csv .dat .ged .key .keychain .pps .ppt .pptx .ini .prf .hqx .mim .uue .7z. cbr .deb .gz .pkg .rar .rpm .sitx .tar.gz .zip .zipx .bin .cue .dmg .iso .mdf .toast .vcd sdf .tar .tax2014 .tax2015 .vcf .xml .aif .iff .m3u .m4a .mid .mp3 .mpa .wav .wma .3g2 .3gp .asf .avi .flv .m4v .mov .mp4 .mpg .rm .srt .swf .vob .wmv 3d .3dm .3ds .max. objr.bmp .dds .gif .jpg ..crx .plugin .fnt .fon .otf .ttf .cab .cpl .cur .deskthemepack .dll .dmp .drv .icns .ico .lnk .sys .cfg, .bz2, .1cd
How To Remove Dharma Cryptolocker
As with (almost) all other ransomware, it is impossible to remove Dharma Cryptolocker from the infected device and instantly recover all stolen files. This is because the ransomware uses an AES 256 algorithm, and even the AES key is encrypted with an RSA 1024 – in short, it is impossible to decrypt. That is why if Dharma attacks you, the only way to stem its action is to immediately isolate the infected device before the infection can spread on the net.
Subsequently, our advice is to rely on a company specialized in security and ransomware removal to guide you step by step in taking action. Unfortunately, no antivirus or antimalware can help you restore files that have been attacked by ransomware. Therefore, you have to format your device and restore the most recent backup version you have. However, to prevent this type of malware from coming into contact with your corporate devices, we always recommend that you carry out security check-ups of computer systems: Vulnerability Assessments.