SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dharma (Back to overview)

Dharma

aka: Arena, Crysis, Wadhrama, ncov
URLhaus      

According to MalwareBytes, the Dharma Ransomware family is installed manually by attackers hacking into computers over Remote Desktop Protocol Services (RDP). The attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.

Once they gain access to the computer they will install the ransomware and let it encrypt the computer. If the attackers are able to encrypt other computers on the network, they will attempt to do so as well.

References
2020-06-16The DFIR ReportThe DFIR Report
@online{report:20200616:little:bc50ff0, author = {The DFIR Report}, title = {{The Little Ransomware That Couldn’t (Dharma)}}, date = {2020-06-16}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/}, language = {English}, urldate = {2020-06-16} } The Little Ransomware That Couldn’t (Dharma)
Dharma
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-03-04} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Judgment Panda Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos Ransomware REvil Ryuk SamSam Scarab Ransomware
2019-05-08Trend MicroRaphael Centeno
@online{centeno:20190508:dharma:cc5ac04, author = {Raphael Centeno}, title = {{Dharma Ransomware Uses AV Tool to Distract from Malicious Activities}}, date = {2019-05-08}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/}, language = {English}, urldate = {2020-01-06} } Dharma Ransomware Uses AV Tool to Distract from Malicious Activities
Dharma
2018-07-10Carbon BlackJared Myers
@online{myers:20180710:carbon:cc54d00, author = {Jared Myers}, title = {{Carbon Black TAU Threat Analysis: Recent Dharma Ransomware Highlights Attackers’ Continued Use of Open-Source Tools}}, date = {2018-07-10}, organization = {Carbon Black}, url = {https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/}, language = {English}, urldate = {2020-01-10} } Carbon Black TAU Threat Analysis: Recent Dharma Ransomware Highlights Attackers’ Continued Use of Open-Source Tools
Dharma
2017-08-25Bleeping ComputerLawrence Abrams
@online{abrams:20170825:new:a2d73b9, author = {Lawrence Abrams}, title = {{New Arena Crysis Ransomware Variant Released}}, date = {2017-08-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/}, language = {English}, urldate = {2019-12-20} } New Arena Crysis Ransomware Variant Released
Dharma
Yara Rules
[TLP:WHITE] win_dharma_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_dharma_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 8b4d10 51 e8???????? 83c408 85c0 0f841e010000 }
            // n = 7, score = 100
            //   50                   | push                eax
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   0f841e010000         | je                  0x124

        $sequence_1 = { 8b45bc 50 e8???????? 50 6a00 8b4dbc 51 }
            // n = 7, score = 100
            //   8b45bc               | mov                 eax, dword ptr [ebp - 0x44]
            //   50                   | push                eax
            //   e8????????           |                     
            //   50                   | push                eax
            //   6a00                 | push                0
            //   8b4dbc               | mov                 ecx, dword ptr [ebp - 0x44]
            //   51                   | push                ecx

        $sequence_2 = { 51 c745fc00000000 6a20 8b4508 50 6a00 e8???????? }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   6a20                 | push                0x20
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   50                   | push                eax
            //   6a00                 | push                0
            //   e8????????           |                     

        $sequence_3 = { 83c408 8bf0 81e6ff00ff00 6a08 8b450c 8b4818 51 }
            // n = 7, score = 100
            //   83c408               | add                 esp, 8
            //   8bf0                 | mov                 esi, eax
            //   81e6ff00ff00         | and                 esi, 0xff00ff
            //   6a08                 | push                8
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b4818               | mov                 ecx, dword ptr [eax + 0x18]
            //   51                   | push                ecx

        $sequence_4 = { 99 83e20f 03c2 c1f804 8b4df8 8b15???????? 668b0442 }
            // n = 7, score = 100
            //   99                   | cdq                 
            //   83e20f               | and                 edx, 0xf
            //   03c2                 | add                 eax, edx
            //   c1f804               | sar                 eax, 4
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8b15????????         |                     
            //   668b0442             | mov                 ax, word ptr [edx + eax*2]

        $sequence_5 = { 8b4d10 51 8b55f0 c1e205 8b45ec 8b4c1014 51 }
            // n = 7, score = 100
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   51                   | push                ecx
            //   8b55f0               | mov                 edx, dword ptr [ebp - 0x10]
            //   c1e205               | shl                 edx, 5
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   8b4c1014             | mov                 ecx, dword ptr [eax + edx + 0x14]
            //   51                   | push                ecx

        $sequence_6 = { 8b55e4 52 e8???????? 83c40c 8b45e4 50 e8???????? }
            // n = 7, score = 100
            //   8b55e4               | mov                 edx, dword ptr [ebp - 0x1c]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   50                   | push                eax
            //   e8????????           |                     

        $sequence_7 = { 8b45f4 c1e808 25ff000000 331485b8bb4000 8b4df0 81e1ff000000 33148db8bf4000 }
            // n = 7, score = 100
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   c1e808               | shr                 eax, 8
            //   25ff000000           | and                 eax, 0xff
            //   331485b8bb4000       | xor                 edx, dword ptr [eax*4 + 0x40bbb8]
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   81e1ff000000         | and                 ecx, 0xff
            //   33148db8bf4000       | xor                 edx, dword ptr [ecx*4 + 0x40bfb8]

        $sequence_8 = { 8b4d08 8b5110 52 e8???????? 83c404 8b45fc }
            // n = 6, score = 100
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b5110               | mov                 edx, dword ptr [ecx + 0x10]
            //   52                   | push                edx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_9 = { 8945fc 8b4dfc 3b4d14 7d5b 8b5510 0355fc 0fb602 }
            // n = 7, score = 100
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   3b4d14               | cmp                 ecx, dword ptr [ebp + 0x14]
            //   7d5b                 | jge                 0x5d
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]
            //   0355fc               | add                 edx, dword ptr [ebp - 4]
            //   0fb602               | movzx               eax, byte ptr [edx]

    condition:
        7 of them and filesize < 204800
}
Download all Yara Rules