“Have fun, bro!”—this ominous message from the Dharma Ransomware-as-a-Service toolset means anyone can now be a cybercriminal!

The Dharma ransomware family has been known since 2016, and it is one of the most profitable around due to its mass-market, service-based business model. Various iterations of its source code have been dumped online or offered for sale, and many variants of the code now exist.  

Running cmd windows image

This Ransomware-as-a-Service (RaaS) franchise mainly targets Small-to-Medium-sized Enterprises (SMEs), with 85% of attacks seen in 2020 focusing on exposed access tools like the Remote Desktop Protocol (RDP). Its perpetrators’ ransom demands have generally been quite low, at US$8,620 on average. 

These and many other workings of the ransomware toolset have been revealed by cybersecurity firm Sophos as the first in-depth look of such RaaS packages provided to cybercriminal buyers. Said Sean Gallagher, a senior threat researcher at Sophos: “Dharma is fast-food franchise ransomware: widely and easily available to just about anyone. Its offerings expand the range of people who can execute devastating ransomware attacks. That’s worrying enough in itself in normal times. But right now, with many businesses adapting to the pandemic and accommodating a need for rapid support for remote workers in business, and IT staffs stretched thin, the risks from these attacks is magnified.”

The need to equip and enable an unexpectedly-remote workforce has left small companies with vulnerable infrastructure and devices, and has hindered the ability of IT support staff to adequately monitor and manage systems the way they normally would, said Gallagher.

Affiliates have all the ‘fun’

Once Dharma customers, known as affiliates, have purchased the tools and compromised their target, they rely almost entirely on a menu-driven PowerShell script that installs and launches the components required to spread ransomware across the target’s network.

When the master script is executed, it identifies itself as “Toolbox” and launches the attack with the message, “Have fun, bro!” The attack process relies heavily on the abuse of open source tools, as well as freeware versions of commercial tools.

Decryption is a surprisingly-complex two-stage process. Targets that contact affiliates for recovery keys are given a first-stage tool that extracts details of all of their encrypted files. Affiliates then share this extracted data with their operators, who provide a second-stage decryption key for the files. How effective this process is in actually restoring data for the targets depends greatly on the skills and mood of the affiliates, according to the research. For instance, Sophos occasionally observed affiliates holding back some of the keys as leverage to make additional ransom demands. 

“With so many multi-million-dollar ransom demands, high profile targets and advanced adversaries like WastedLocker now making the headlines, it can be easy to forget that threats like Dharma are alive and well, and enabling a whole other rung of cybercriminals to hit multiple smaller targets to rake in a fortune,” said Gallagher.

Advice for defenders

As remote-access is the conduit by which Dharma tunnels into its target network, the following practises should be observed:

  • Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks. If you need access to RDP, put it behind a VPN connection. 
  • Check that you have a full inventory of all devices connected to your network and always install the latest security updates, as soon as they are released, on all the devices and servers on your network.
  • Keep regular backups of your most important and current data on an offline storage device.
  • Be aware of the five early indicators an attacker is present to stop ransomware attacks: network scanning on the network; activity of antivirus disabling software; presence of the open source MimiKatz tool and use of Microsoft Process Explorer; recurrent suspicious activity with repeating patterns; and most visibly—the launching of small test attacks on a few machines.

There is no single silver bullet for security: a layered, defence-in-depth security model is essential, according to the Sophos team.