Dharma (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.dharma (Back to overview)

Dharma

aka: Arena, Crysis, Wadhrama, ncov

VTCollection URLhaus

According to MalwareBytes, the Dharma Ransomware family is installed manually by attackers hacking into computers over Remote Desktop Protocol Services (RDP). The attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.

Once they gain access to the computer they will install the ransomware and let it encrypt the computer. If the attackers are able to encrypt other computers on the network, they will attempt to do so as well.

References

2024-11-20 ⋅ Trellix ⋅ Jambul Tologonov, John Fokker, Phuc Pham
Phobos: Stealthy Ransomware That Operated Under the Radar - Until Now
8Base CryptXXXX Dharma Phobos

2023-07-03 ⋅ AhnLab ⋅ ASEC
Crysis Threat Actor Installing Venus Ransomware Through RDP
Dharma

2023-04-18 ⋅ Mandiant ⋅ Mandiant
M-Trends 2023
QUIETEXIT AppleJeus Black Basta BlackCat CaddyWiper Cobalt Strike Dharma HermeticWiper Hive INDUSTROYER2 Ladon LockBit Meterpreter PartyTicket PlugX QakBot REvil Royal Ransom SystemBC WhisperGate

2023-02-15 ⋅ Google ⋅ Google Threat Analysis Group, Mandiant
Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape
CaddyWiper Dharma HermeticWiper INDUSTROYER2 PartyTicket WhisperGate Callisto Curious Gorge MUSTANG PANDA Turla

2022-04-01 ⋅ Bleeping Computer ⋅ Lawrence Abrams
The Week in Ransomware - April 1st 2022 - 'I can fight with a keyboard'
Hive Dharma LockBit STOP SunCrypt

2022-03-17 ⋅ Sophos ⋅ Tilly Travers
The Ransomware Threat Intelligence Center
ATOMSILO Avaddon AvosLocker BlackKingdom Ransomware BlackMatter Conti Cring DarkSide dearcry Dharma Egregor Entropy Epsilon Red Gandcrab Karma LockBit LockFile Mailto Maze Nefilim RagnarLocker Ragnarok REvil RobinHood Ryuk SamSam Snatch WannaCryptor WastedLocker

2021-10-29 ⋅ ⋅ Національна поліція України ⋅ Національна поліція України
Cyberpolice exposes transnational criminal group in causing $ 120 million in damage to foreign companies
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2021-10-29 ⋅ Europol ⋅ Europol
12 targeted for involvement in ransomware attacks against critical infrastructure
Cobalt Strike Dharma LockerGoga MegaCortex TrickBot

2021-10-22 ⋅ HUNT & HACKETT ⋅ Krijn de Mik
Advanced IP Scanner: the preferred scanner in the A(P)T toolbox
Conti DarkSide Dharma Egregor Hades REvil Ryuk

2021-10-07 ⋅ Kaspersky ⋅ Fedor Sinitsyn, Yanis Zinchenko
Ransomware in the CIS
Cryakl Dharma Hakbit Phobos Void

2021-04-27 ⋅ CrowdStrike ⋅ Eben Kaplan, Josh Dalman, Kamil Janton
Ransomware Preparedness: A Call to Action
Dharma GlobeImposter Maze Phobos CIRCUS SPIDER TRAVELING SPIDER

2021-03-17 ⋅ Palo Alto Networks Unit 42 ⋅ Unit42
Ransomware Threat Report 2021
RansomEXX Dharma DoppelPaymer Gandcrab Mailto Maze Phobos RansomEXX REvil Ryuk WastedLocker

2021-03-01 ⋅ Acronis ⋅ Acronis Security
Threat analysis: Dharma (CrySiS) ransomware
Dharma

2021-02-02 ⋅ ⋅ CRONUP ⋅ Germán Fernández
De ataque con Malware a incidente de Ransomware
Avaddon BazarBackdoor Buer Clop Cobalt Strike Conti DanaBot Dharma Dridex Egregor Emotet Empire Downloader FriedEx GootKit IcedID MegaCortex Nemty Phorpiex PwndLocker PyXie QakBot RansomEXX REvil Ryuk SDBbot SmokeLoader TrickBot Zloader

2021-01-08 ⋅ Zscaler ⋅ Mohd Sadique, Pradeep Kulkarni
Ransomware Delivered Using RDP Brute-Force Attack
Dharma

2020-12-18 ⋅ Trend Micro ⋅ Junestherry Salvador, Matthew Camacho, Raphael Centeno
Negasteal Uses Hastebin for Fileless Delivery of Crysis Ransomware
Agent Tesla Dharma

2020-08-24 ⋅ Group-IB ⋅ Oleg Skulkin
Cybercriminal greeners from Iran attack companies worldwide for financial gain
Dharma

2020-08-12 ⋅ ⋅ CERT Santé ⋅ CERT Santé
Retour d’expérience suite à une attaque par rançongiciel contre une structure de santé
Dharma

2020-08-12 ⋅ SophosLabs Uncut ⋅ Sean Gallagher
Color by numbers: inside a Dharma ransomware-as-a-service attack
Dharma

2020-07-29 ⋅ ESET Research ⋅ welivesecurity
THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos PlugX Pony REvil Socelars STOP Tinba TrickBot WannaCryptor

2020-07-10 ⋅ Vice ⋅ Joseph Cox
The Secret Service Tried to Catch a Hacker With a Malware Booby-Trap
Dharma

2020-06-16 ⋅ The DFIR Report ⋅ The DFIR Report
The Little Ransomware That Couldn’t (Dharma)
Dharma

2020-04-24 ⋅ Advanced Intelligence ⋅ Bridgit Sullivan
Inside "Phobos" Ransomware: "Dharma" Past & Underground
Dharma Phobos

2020-03-05 ⋅ Microsoft ⋅ Microsoft Threat Protection Intelligence Team
Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA

2020-03-04 ⋅ CrowdStrike ⋅ CrowdStrike
2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelDridex DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot Vidar Winnti ANTHROPOID SPIDER APT23 APT31 APT39 APT40 BlackTech BuhTrap Charming Kitten CLOCKWORK SPIDER DOPPEL SPIDER FIN7 Gamaredon Group GOBLIN PANDA MONTY SPIDER MUSTANG PANDA NARWHAL SPIDER NOCTURNAL SPIDER PINCHY SPIDER SALTY SPIDER SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER VICEROY TIGER

2020-02-25 ⋅ RSA Conference ⋅ Joel DeCapua
Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Rapid Ransom REvil Ryuk SamSam Zeus

2020-01-29 ⋅ ANSSI ⋅ ANSSI
État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam

2020-01-17 ⋅ Secureworks ⋅ Keita Yamazaki, Tamada Kiyotaka, You Nakatsuru
Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos REvil Ryuk SamSam Scarab Ransomware

2019-11-11 ⋅ The Register ⋅ Gareth Corfield
If it sounds too good to be true, it most likely is: Nobody can decrypt the Dharma ransomware
Dharma

2019-05-08 ⋅ Trend Micro ⋅ Raphael Centeno
Dharma Ransomware Uses AV Tool to Distract from Malicious Activities
Dharma

2019-01-22 ⋅ Twitter (@JakubKroustek) ⋅ Jakub Křoustek
Frequently updated Twitter thread with many Dharma samples
Dharma

2018-12-02 ⋅ Check Point ⋅ Check Point Research
The Ransomware Doctor Without A Cure
Dharma

2018-09-11 ⋅ Sophos Naked Security ⋅ Mark Stockley
The Rise of Targeted Ransomware
Dharma FriedEx SamSam

2018-07-10 ⋅ Carbon Black ⋅ Jared Myers
Carbon Black TAU Threat Analysis: Recent Dharma Ransomware Highlights Attackers’ Continued Use of Open-Source Tools
Dharma

2017-12-11 ⋅ United States Department of Justice ⋅ United States Department of Justice
United States of America v. MIHAI ALEXANDRU ISVANCA and EVELINE CISMARU
Cerber Dharma

2017-08-25 ⋅ Bleeping Computer ⋅ Lawrence Abrams
New Arena Crysis Ransomware Variant Released
Dharma

2016-12-23 ⋅ United States District Court for the Western District of Washington ⋅ United States District Court for the Western District of Washington
United States v. lavandos@dr.com :: APPLICATION FOR A SEARCH WARRANT
Dharma

2016-06-07 ⋅ Sogeti ⋅ mirak, PAF
The Story of yet another ransom-fail-ware
Dharma

Yara Rules

[TLP:WHITE] win_dharma_auto (20241030 | Detects win.dharma.)

rule win_dharma_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2024-10-31"
        version = "1"
        description = "Detects win.dharma."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma"
        malpedia_rule_date = "20241030"
        malpedia_hash = "26e26953c49c8efafbf72a38076855d578e0a2e4"
        malpedia_version = "20241030"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b4218 33c9 668908 8b5508 }
            // n = 4, score = 100
            //   8b4218               | mov                 eax, dword ptr [edx + 0x18]
            //   33c9                 | xor                 ecx, ecx
            //   668908               | mov                 word ptr [eax], cx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]

        $sequence_1 = { 81e10000ff00 33d1 8b45f0 c1e808 25ff000000 8b0c85b8b34000 81e100ff0000 }
            // n = 7, score = 100
            //   81e10000ff00         | and                 ecx, 0xff0000
            //   33d1                 | xor                 edx, ecx
            //   8b45f0               | mov                 eax, dword ptr [ebp - 0x10]
            //   c1e808               | shr                 eax, 8
            //   25ff000000           | and                 eax, 0xff
            //   8b0c85b8b34000       | mov                 ecx, dword ptr [eax*4 + 0x40b3b8]
            //   81e100ff0000         | and                 ecx, 0xff00

        $sequence_2 = { 6a08 8b450c 8b4818 51 e8???????? 83c408 2500ff00ff }
            // n = 7, score = 100
            //   6a08                 | push                8
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b4818               | mov                 ecx, dword ptr [eax + 0x18]
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   2500ff00ff           | and                 eax, 0xff00ff00

        $sequence_3 = { 51 8b55fc 52 ff15???????? 8b4df8 89048db8864100 8b55f8 }
            // n = 7, score = 100
            //   51                   | push                ecx
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   89048db8864100       | mov                 dword ptr [ecx*4 + 0x4186b8], eax
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]

        $sequence_4 = { 33c0 6689044a 8b4d08 8b5104 83c201 8955ec 8b4508 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   6689044a             | mov                 word ptr [edx + ecx*2], ax
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b5104               | mov                 edx, dword ptr [ecx + 4]
            //   83c201               | add                 edx, 1
            //   8955ec               | mov                 dword ptr [ebp - 0x14], edx
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]

        $sequence_5 = { 732e 8b4df8 8a11 8855ef 8b45f8 8b4df4 8a11 }
            // n = 7, score = 100
            //   732e                 | jae                 0x30
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8a11                 | mov                 dl, byte ptr [ecx]
            //   8855ef               | mov                 byte ptr [ebp - 0x11], dl
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   8a11                 | mov                 dl, byte ptr [ecx]

        $sequence_6 = { e8???????? 83c410 894590 6a02 6880000000 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   894590               | mov                 dword ptr [ebp - 0x70], eax
            //   6a02                 | push                2
            //   6880000000           | push                0x80

        $sequence_7 = { 83780800 7405 e8???????? 8b4d0c 51 8b55fc 52 }
            // n = 7, score = 100
            //   83780800             | cmp                 dword ptr [eax + 8], 0
            //   7405                 | je                  7
            //   e8????????           |                     
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   51                   | push                ecx
            //   8b55fc               | mov                 edx, dword ptr [ebp - 4]
            //   52                   | push                edx

        $sequence_8 = { 2b4224 8d4c0002 51 8b5508 8b4224 8b4d08 8b5118 }
            // n = 7, score = 100
            //   2b4224               | sub                 eax, dword ptr [edx + 0x24]
            //   8d4c0002             | lea                 ecx, [eax + eax + 2]
            //   51                   | push                ecx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b4224               | mov                 eax, dword ptr [edx + 0x24]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]
            //   8b5118               | mov                 edx, dword ptr [ecx + 0x18]

        $sequence_9 = { 52 8b4510 50 e8???????? 83c408 85c0 7409 }
            // n = 7, score = 100
            //   52                   | push                edx
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   7409                 | je                  0xb

    condition:
        7 of them and filesize < 204800
}

Download all Yara Rules

Dharma Propose Change

References

Yara Rules

Dharma