win.dharma (Back to overview)


aka: Arena, Crysis, Wadhrama, ncov
VTCollection     URLhaus      

According to MalwareBytes, the Dharma Ransomware family is installed manually by attackers hacking into computers over Remote Desktop Protocol Services (RDP). The attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.

Once they gain access to the computer they will install the ransomware and let it encrypt the computer. If the attackers are able to encrypt other computers on the network, they will attempt to do so as well.

Crysis Threat Actor Installing Venus Ransomware Through RDP
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate
2023-02-15GoogleGoogle Threat Analysis Group, Mandiant
Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
CaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge MUSTANG PANDA Turla
2022-04-01Bleeping ComputerLawrence Abrams
The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'
Hive Dharma LockBit STOP SunCrypt
2022-03-17SophosTilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker
2021-10-29Національна поліція УкраїниНаціональна поліція України
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot
2021-10-22HUNT & HACKETTKrijn de Mik
Advanced IP Scanner: the preferred scanner in the A(P)T toolbox
Conti DarkSide Dharma Egregor Hades REvil Ryuk
2021-10-07KasperskyFedor Sinitsyn, Yanis Zinchenko
Ransomware in the CIS
Cryakl Dharma Hakbit Phobos Void
2021-04-27CrowdStrikeEben Kaplan, Josh Dalman, Kamil Janton
Ransomware Preparedness: A Call to Action
2021-03-17Palo Alto Networks Unit 42Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker
2021-03-01AcronisAcronis Security
Threat analysis: Dharma (CrySiS) ransomware
2021-02-02CRONUPGermán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader
2021-01-08ZscalerMohd Sadique, Pradeep Kulkarni
Ransomware Delivered Using RDP Brute-Force Attack
2020-12-18Trend MicroJunestherry Salvador, Matthew Camacho, Raphael Centeno
Negasteal Uses Hastebin for Fileless Delivery of Crysis Ransomware
Agent Tesla Dharma
2020-08-24Group-IBOleg Skulkin
Cybercriminal greeners from Iran attack companies worldwide for financial gain
2020-08-12SophosLabs UncutSean Gallagher
Color by numbers: inside a Dharma ransomware-as-a-service attack
2020-08-12CERT SantéCERT Santé
Retour d’expérience suite à une attaque par rançongiciel contre une structure de santé
2020-07-29ESET Researchwelivesecurity
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor
2020-07-10ViceJoseph Cox
The Secret Service Tried to Catch a Hacker With a Malware Booby-Trap
2020-06-16The DFIR ReportThe DFIR Report
The Little Ransomware That Couldn’t (Dharma)
2020-04-24Advanced IntelligenceBridgit Sullivan
Inside "Phobos" Ransomware: "Dharma" Past & Underground
Dharma Phobos
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER
2020-02-25RSA ConferenceJoel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus
État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-17SecureworksKeita Yamazaki, Tamada Kiyotaka, You Nakatsuru
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware
2019-11-11The RegisterGareth Corfield
If it sounds too good to be true, it most likely is: Nobody can decrypt the Dharma ransomware
2019-05-08Trend MicroRaphael Centeno
Dharma Ransomware Uses AV Tool to Distract from Malicious Activities
2019-01-22Twitter (@JakubKroustek)Jakub Křoustek
Frequently updated Twitter thread with many Dharma samples
2018-12-02Check PointCheck Point Research
The Ransomware Doctor Without A Cure
2018-09-11Sophos Naked SecurityMark Stockley
The Rise of Targeted Ransomware
Dharma FriedEx SamSam
2018-07-10Carbon BlackJared Myers
Carbon Black TAU Threat Analysis: Recent Dharma Ransomware Highlights Attackers’ Continued Use of Open-Source Tools
2017-12-11United States Department of JusticeUnited States Department of Justice
Cerber Dharma
2017-08-25Bleeping ComputerLawrence Abrams
New Arena Crysis Ransomware Variant Released
2016-12-23United States District Court for the Western District of WashingtonUnited States District Court for the Western District of Washington
2016-06-07Sogetimirak, PAF
The Story of yet another ransom-fail-ware
Yara Rules
[TLP:WHITE] win_dharma_auto (20230808 | Detects win.dharma.)
rule win_dharma_auto {

        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.dharma."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = ""
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.

        $sequence_0 = { 8945e8 8b45ec 8b4808 8b55ec }
            // n = 4, score = 100
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b45ec               | mov                 eax, dword ptr [ebp - 0x14]
            //   8b4808               | mov                 ecx, dword ptr [eax + 8]
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]

        $sequence_1 = { 8b4824 8b5508 8b4218 8d0c48 51 68ff7f0000 }
            // n = 6, score = 100
            //   8b4824               | mov                 ecx, dword ptr [eax + 0x24]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b4218               | mov                 eax, dword ptr [edx + 0x18]
            //   8d0c48               | lea                 ecx, [eax + ecx*2]
            //   51                   | push                ecx
            //   68ff7f0000           | push                0x7fff

        $sequence_2 = { 68???????? 6a00 6a00 e8???????? eb0e 8b4dfc 51 }
            // n = 7, score = 100
            //   68????????           |                     
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   e8????????           |                     
            //   eb0e                 | jmp                 0x10
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   51                   | push                ecx

        $sequence_3 = { 8b45e4 034530 8945e4 8b4dfc 034d30 894dfc 6a06 }
            // n = 7, score = 100
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   034530               | add                 eax, dword ptr [ebp + 0x30]
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   034d30               | add                 ecx, dword ptr [ebp + 0x30]
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx
            //   6a06                 | push                6

        $sequence_4 = { a1???????? 898574ffffff 6880000000 68???????? 8b8d74ffffff 51 68???????? }
            // n = 7, score = 100
            //   a1????????           |                     
            //   898574ffffff         | mov                 dword ptr [ebp - 0x8c], eax
            //   6880000000           | push                0x80
            //   68????????           |                     
            //   8b8d74ffffff         | mov                 ecx, dword ptr [ebp - 0x8c]
            //   51                   | push                ecx
            //   68????????           |                     

        $sequence_5 = { 8945fc 8b4d08 0fb711 d1fa 8955e0 8b45f8 c1e818 }
            // n = 7, score = 100
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   0fb711               | movzx               edx, word ptr [ecx]
            //   d1fa                 | sar                 edx, 1
            //   8955e0               | mov                 dword ptr [ebp - 0x20], edx
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   c1e818               | shr                 eax, 0x18

        $sequence_6 = { 741a 8b5508 83c22c 8b4dfc 8b8108000100 }
            // n = 5, score = 100
            //   741a                 | je                  0x1c
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   83c22c               | add                 edx, 0x2c
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   8b8108000100         | mov                 eax, dword ptr [ecx + 0x10008]

        $sequence_7 = { 8b0c85b8bf4000 81e10000ff00 33d1 8b45f4 }
            // n = 4, score = 100
            //   8b0c85b8bf4000       | mov                 ecx, dword ptr [eax*4 + 0x40bfb8]
            //   81e10000ff00         | and                 ecx, 0xff0000
            //   33d1                 | xor                 edx, ecx
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]

        $sequence_8 = { d1f8 8d4c0002 51 e8???????? 83c404 8b55ec 8b4a08 }
            // n = 7, score = 100
            //   d1f8                 | sar                 eax, 1
            //   8d4c0002             | lea                 ecx, [eax + eax + 2]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   8b4a08               | mov                 ecx, dword ptr [edx + 8]

        $sequence_9 = { 8b55f4 83c201 8955f4 eba3 8b45f8 50 e8???????? }
            // n = 7, score = 100
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]
            //   83c201               | add                 edx, 1
            //   8955f4               | mov                 dword ptr [ebp - 0xc], edx
            //   eba3                 | jmp                 0xffffffa5
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   50                   | push                eax
            //   e8????????           |                     

        7 of them and filesize < 204800
Download all Yara Rules