SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dharma (Back to overview)

Dharma

aka: Arena, Crysis, Wadhrama, ncov
URLhaus      

According to MalwareBytes, the Dharma Ransomware family is installed manually by attackers hacking into computers over Remote Desktop Protocol Services (RDP). The attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.

Once they gain access to the computer they will install the ransomware and let it encrypt the computer. If the attackers are able to encrypt other computers on the network, they will attempt to do so as well.

References
2020-08-24Group-IBOleg Skulkin
@online{skulkin:20200824:cybercriminal:f1959f3, author = {Oleg Skulkin}, title = {{Cybercriminal greeners from Iran attack companies worldwide for financial gain}}, date = {2020-08-24}, organization = {Group-IB}, url = {https://www.group-ib.com/media/iran-cybercriminals/}, language = {English}, urldate = {2020-08-25} } Cybercriminal greeners from Iran attack companies worldwide for financial gain
Dharma
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-06-16The DFIR ReportThe DFIR Report
@online{report:20200616:little:bc50ff0, author = {The DFIR Report}, title = {{The Little Ransomware That Couldn’t (Dharma)}}, date = {2020-06-16}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/}, language = {English}, urldate = {2020-06-16} } The Little Ransomware That Couldn’t (Dharma)
Dharma
2020-04-24Advanced IntelligenceBridgit Sullivan
@online{sullivan:20200424:inside:ee63bb1, author = {Bridgit Sullivan}, title = {{Inside "Phobos" Ransomware: "Dharma" Past & Underground}}, date = {2020-04-24}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground}, language = {English}, urldate = {2020-07-30} } Inside "Phobos" Ransomware: "Dharma" Past & Underground
Dharma Phobos Ransomware
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos Ransomware REvil Ryuk SamSam Scarab Ransomware
2019-05-08Trend MicroRaphael Centeno
@online{centeno:20190508:dharma:cc5ac04, author = {Raphael Centeno}, title = {{Dharma Ransomware Uses AV Tool to Distract from Malicious Activities}}, date = {2019-05-08}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/}, language = {English}, urldate = {2020-01-06} } Dharma Ransomware Uses AV Tool to Distract from Malicious Activities
Dharma
2018-07-10Carbon BlackJared Myers
@online{myers:20180710:carbon:cc54d00, author = {Jared Myers}, title = {{Carbon Black TAU Threat Analysis: Recent Dharma Ransomware Highlights Attackers’ Continued Use of Open-Source Tools}}, date = {2018-07-10}, organization = {Carbon Black}, url = {https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/}, language = {English}, urldate = {2020-01-10} } Carbon Black TAU Threat Analysis: Recent Dharma Ransomware Highlights Attackers’ Continued Use of Open-Source Tools
Dharma
2017-08-25Bleeping ComputerLawrence Abrams
@online{abrams:20170825:new:a2d73b9, author = {Lawrence Abrams}, title = {{New Arena Crysis Ransomware Variant Released}}, date = {2017-08-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/}, language = {English}, urldate = {2019-12-20} } New Arena Crysis Ransomware Variant Released
Dharma
Yara Rules
[TLP:WHITE] win_dharma_auto (20200817 | autogenerated rule brought to you by yara-signator)
rule win_dharma_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-08-17"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma"
        malpedia_rule_date = "20200817"
        malpedia_hash = "8c895fd01eccb47a6225bcb1a3ba53cbb98644c5"
        malpedia_version = "20200817"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 52 8b4508 8b4820 8b5508 8b4218 8d0c48 }
            // n = 6, score = 100
            //   52                   | push                edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4820               | mov                 ecx, dword ptr [eax + 0x20]
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b4218               | mov                 eax, dword ptr [edx + 0x18]
            //   8d0c48               | lea                 ecx, [eax + ecx*2]

        $sequence_1 = { c1e808 25ff000000 8b0c85b8b34000 81e100ff0000 33d1 8b45e4 25ff000000 }
            // n = 7, score = 100
            //   c1e808               | shr                 eax, 8
            //   25ff000000           | and                 eax, 0xff
            //   8b0c85b8b34000       | mov                 ecx, dword ptr [eax*4 + 0x40b3b8]
            //   81e100ff0000         | and                 ecx, 0xff00
            //   33d1                 | xor                 edx, ecx
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   25ff000000           | and                 eax, 0xff

        $sequence_2 = { c745f800000000 8b450c 50 e8???????? 8d4c0002 51 e8???????? }
            // n = 7, score = 100
            //   c745f800000000       | mov                 dword ptr [ebp - 8], 0
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   50                   | push                eax
            //   e8????????           |                     
            //   8d4c0002             | lea                 ecx, [eax + eax + 2]
            //   51                   | push                ecx
            //   e8????????           |                     

        $sequence_3 = { 68???????? e8???????? 83c410 8945f4 837d0800 740b 8b45f8 }
            // n = 7, score = 100
            //   68????????           |                     
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   837d0800             | cmp                 dword ptr [ebp + 8], 0
            //   740b                 | je                  0xd
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]

        $sequence_4 = { 837df806 7309 c745ec01000000 eb4a 8d45f4 50 6a08 }
            // n = 7, score = 100
            //   837df806             | cmp                 dword ptr [ebp - 8], 6
            //   7309                 | jae                 0xb
            //   c745ec01000000       | mov                 dword ptr [ebp - 0x14], 1
            //   eb4a                 | jmp                 0x4c
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   50                   | push                eax
            //   6a08                 | push                8

        $sequence_5 = { 8b4df4 3b4d10 7d4c 8b55fc 83c204 8955fc 8b45fc }
            // n = 7, score = 100
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   3b4d10               | cmp                 ecx, dword ptr [ebp + 0x10]
            //   7d4c                 | jge                 0x4e
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   83c204               | add                 edx, 4
            //   8955fc               | mov                 dword ptr [ebp - 4], edx
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]

        $sequence_6 = { 8b4510 2bc2 50 8b4de0 2b4d0c d1f9 8b5510 }
            // n = 7, score = 100
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   2bc2                 | sub                 eax, edx
            //   50                   | push                eax
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   2b4d0c               | sub                 ecx, dword ptr [ebp + 0xc]
            //   d1f9                 | sar                 ecx, 1
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]

        $sequence_7 = { 894514 eb09 8b4d14 83e910 }
            // n = 4, score = 100
            //   894514               | mov                 dword ptr [ebp + 0x14], eax
            //   eb09                 | jmp                 0xb
            //   8b4d14               | mov                 ecx, dword ptr [ebp + 0x14]
            //   83e910               | sub                 ecx, 0x10

        $sequence_8 = { 0fb645fa 8b4de4 8a1401 8855ef 0fb645f9 8b4de4 }
            // n = 6, score = 100
            //   0fb645fa             | movzx               eax, byte ptr [ebp - 6]
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   8a1401               | mov                 dl, byte ptr [ecx + eax]
            //   8855ef               | mov                 byte ptr [ebp - 0x11], dl
            //   0fb645f9             | movzx               eax, byte ptr [ebp - 7]
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]

        $sequence_9 = { d1fa 8955f0 33c0 8b4df4 668901 8b55f4 }
            // n = 6, score = 100
            //   d1fa                 | sar                 edx, 1
            //   8955f0               | mov                 dword ptr [ebp - 0x10], edx
            //   33c0                 | xor                 eax, eax
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   668901               | mov                 word ptr [ecx], ax
            //   8b55f4               | mov                 edx, dword ptr [ebp - 0xc]

    condition:
        7 of them and filesize < 204800
}
Download all Yara Rules