SYMBOLCOMMON_NAMEaka. SYNONYMS
win.dharma (Back to overview)

Dharma

aka: Arena, Crysis, Wadhrama, ncov
URLhaus      

According to MalwareBytes, the Dharma Ransomware family is installed manually by attackers hacking into computers over Remote Desktop Protocol Services (RDP). The attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.

Once they gain access to the computer they will install the ransomware and let it encrypt the computer. If the attackers are able to encrypt other computers on the network, they will attempt to do so as well.

References
2020-08-24Group-IBOleg Skulkin
@online{skulkin:20200824:cybercriminal:f1959f3, author = {Oleg Skulkin}, title = {{Cybercriminal greeners from Iran attack companies worldwide for financial gain}}, date = {2020-08-24}, organization = {Group-IB}, url = {https://www.group-ib.com/media/iran-cybercriminals/}, language = {English}, urldate = {2020-08-25} } Cybercriminal greeners from Iran attack companies worldwide for financial gain
Dharma
2020-07-29ESET Researchwelivesecurity
@techreport{welivesecurity:20200729:threat:496355c, author = {welivesecurity}, title = {{THREAT REPORT Q2 2020}}, date = {2020-07-29}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf}, language = {English}, urldate = {2020-07-30} } THREAT REPORT Q2 2020
DEFENSOR ID HiddenAd Bundlore Pirrit Agent.BTZ Cerber ClipBanker CROSSWALK Cryptowall CTB Locker DanaBot Dharma Formbook Gandcrab Grandoreiro Houdini ISFB LockBit Locky Mailto Maze Microcin Nemty NjRAT Phobos Ransomware PlugX Pony REvil Socelars STOP Ransomware Tinba TrickBot WannaCryptor
2020-06-16The DFIR ReportThe DFIR Report
@online{report:20200616:little:bc50ff0, author = {The DFIR Report}, title = {{The Little Ransomware That Couldn’t (Dharma)}}, date = {2020-06-16}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/}, language = {English}, urldate = {2020-06-16} } The Little Ransomware That Couldn’t (Dharma)
Dharma
2020-04-24Advanced IntelligenceBridgit Sullivan
@online{sullivan:20200424:inside:ee63bb1, author = {Bridgit Sullivan}, title = {{Inside "Phobos" Ransomware: "Dharma" Past & Underground}}, date = {2020-04-24}, organization = {Advanced Intelligence}, url = {https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground}, language = {English}, urldate = {2020-07-30} } Inside "Phobos" Ransomware: "Dharma" Past & Underground
Dharma Phobos Ransomware
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor
2020-03-04CrowdStrikeCrowdStrike
@techreport{crowdstrike:20200304:2020:818c85f, author = {CrowdStrike}, title = {{2020 CrowdStrike Global Threat Report}}, date = {2020-03-04}, institution = {CrowdStrike}, url = {https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf}, language = {English}, urldate = {2020-07-24} } 2020 CrowdStrike Global Threat Report
MESSAGETAP More_eggs 8.t Dropper Anchor BabyShark BadNews Clop Cobalt Strike CobInt Cobra Carbon System Cutwail DanaBot Dharma DoppelPaymer Dridex Emotet FlawedAmmyy FriedEx Gandcrab Get2 IcedID ISFB KerrDown LightNeuron LockerGoga Maze MECHANICAL Necurs Nokki Outlook Backdoor Phobos Ransomware Predator The Thief QakBot REvil RobinHood Ryuk SDBbot Skipper SmokeLoader TerraRecon TerraStealer TerraTV TinyLoader TrickBot vidar Winnti ANTHROPOID SPIDER Anunak APT31 APT39 BlackTech BuhTrap Charming Kitten CLOCKWORD SPIDER DOPPEL SPIDER Gamaredon Group Leviathan MONTY SPIDER Mustang Panda NARWHAL SPIDER NOCTURNAL SPIDER Pinchy Spider Pirate Panda Salty Spider SCULLY SPIDER SMOKY SPIDER Thrip VENOM SPIDER
2020-02-25RSA ConferenceJoel DeCapua
@online{decapua:20200225:feds:423f929, author = {Joel DeCapua}, title = {{Feds Fighting Ransomware: How the FBI Investigates and How You Can Help}}, date = {2020-02-25}, organization = {RSA Conference}, url = {https://www.youtube.com/watch?v=LUxOcpIRxmg}, language = {English}, urldate = {2020-03-04} } Feds Fighting Ransomware: How the FBI Investigates and How You Can Help
FastCash Cerber Defray Dharma FriedEx Gandcrab GlobeImposter Mamba Phobos Ransomware Rapid Ransom REvil Ryuk SamSam Zeus
2020-01-29ANSSIANSSI
@techreport{anssi:20200129:tat:3d59e6e, author = {ANSSI}, title = {{État de la menace rançongiciel}}, date = {2020-01-29}, institution = {ANSSI}, url = {https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf}, language = {English}, urldate = {2020-02-03} } État de la menace rançongiciel
Clop Dharma FriedEx Gandcrab LockerGoga Maze MegaCortex REvil RobinHood Ryuk SamSam
2020-01-17SecureworksTamada Kiyotaka, Keita Yamazaki, You Nakatsuru
@techreport{kiyotaka:20200117:is:969ff38, author = {Tamada Kiyotaka and Keita Yamazaki and You Nakatsuru}, title = {{Is It Wrong to Try to Find APT Techniques in Ransomware Attack?}}, date = {2020-01-17}, institution = {Secureworks}, url = {https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf}, language = {English}, urldate = {2020-04-06} } Is It Wrong to Try to Find APT Techniques in Ransomware Attack?
Defray Dharma FriedEx Gandcrab GlobeImposter Matrix Ransom MedusaLocker Phobos Ransomware REvil Ryuk SamSam Scarab Ransomware
2019-05-08Trend MicroRaphael Centeno
@online{centeno:20190508:dharma:cc5ac04, author = {Raphael Centeno}, title = {{Dharma Ransomware Uses AV Tool to Distract from Malicious Activities}}, date = {2019-05-08}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/}, language = {English}, urldate = {2020-01-06} } Dharma Ransomware Uses AV Tool to Distract from Malicious Activities
Dharma
2018-07-10Carbon BlackJared Myers
@online{myers:20180710:carbon:cc54d00, author = {Jared Myers}, title = {{Carbon Black TAU Threat Analysis: Recent Dharma Ransomware Highlights Attackers’ Continued Use of Open-Source Tools}}, date = {2018-07-10}, organization = {Carbon Black}, url = {https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/}, language = {English}, urldate = {2020-01-10} } Carbon Black TAU Threat Analysis: Recent Dharma Ransomware Highlights Attackers’ Continued Use of Open-Source Tools
Dharma
2017-08-25Bleeping ComputerLawrence Abrams
@online{abrams:20170825:new:a2d73b9, author = {Lawrence Abrams}, title = {{New Arena Crysis Ransomware Variant Released}}, date = {2017-08-25}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/}, language = {English}, urldate = {2019-12-20} } New Arena Crysis Ransomware Variant Released
Dharma
Yara Rules
[TLP:WHITE] win_dharma_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_dharma_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 81e100ff0000 33c1 8b55f8 c1ea18 8b0c95b8b74000 81e1ff000000 33c1 }
            // n = 7, score = 100
            //   81e100ff0000         | and                 ecx, 0xff00
            //   33c1                 | xor                 eax, ecx
            //   8b55f8               | mov                 edx, dword ptr [ebp - 8]
            //   c1ea18               | shr                 edx, 0x18
            //   8b0c95b8b74000       | mov                 ecx, dword ptr [edx*4 + 0x40b7b8]
            //   81e1ff000000         | and                 ecx, 0xff
            //   33c1                 | xor                 eax, ecx

        $sequence_1 = { d3e0 2345fc 0f8485000000 8b4df8 8b55e8 668b044a }
            // n = 6, score = 100
            //   d3e0                 | shl                 eax, cl
            //   2345fc               | and                 eax, dword ptr [ebp - 4]
            //   0f8485000000         | je                  0x8b
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]
            //   8b55e8               | mov                 edx, dword ptr [ebp - 0x18]
            //   668b044a             | mov                 ax, word ptr [edx + ecx*2]

        $sequence_2 = { 83c408 85c0 7413 8b45e8 50 8b4df0 51 }
            // n = 7, score = 100
            //   83c408               | add                 esp, 8
            //   85c0                 | test                eax, eax
            //   7413                 | je                  0x15
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   50                   | push                eax
            //   8b4df0               | mov                 ecx, dword ptr [ebp - 0x10]
            //   51                   | push                ecx

        $sequence_3 = { 8a5118 885059 8b4508 8b4814 c1e918 }
            // n = 5, score = 100
            //   8a5118               | mov                 dl, byte ptr [ecx + 0x18]
            //   885059               | mov                 byte ptr [eax + 0x59], dl
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   8b4814               | mov                 ecx, dword ptr [eax + 0x14]
            //   c1e918               | shr                 ecx, 0x18

        $sequence_4 = { 8d85e0fdffff 50 e8???????? 83c40c 8b85b4fdffff 8be5 5d }
            // n = 7, score = 100
            //   8d85e0fdffff         | lea                 eax, [ebp - 0x220]
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8b85b4fdffff         | mov                 eax, dword ptr [ebp - 0x24c]
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp

        $sequence_5 = { 668955e8 0fb745e8 0fb74dec 0fb755e4 33db 3bca 0f9fc3 }
            // n = 7, score = 100
            //   668955e8             | mov                 word ptr [ebp - 0x18], dx
            //   0fb745e8             | movzx               eax, word ptr [ebp - 0x18]
            //   0fb74dec             | movzx               ecx, word ptr [ebp - 0x14]
            //   0fb755e4             | movzx               edx, word ptr [ebp - 0x1c]
            //   33db                 | xor                 ebx, ebx
            //   3bca                 | cmp                 ecx, edx
            //   0f9fc3               | setg                bl

        $sequence_6 = { 8b0c85b8b34000 81e100ff0000 33d1 8b45e4 25ff000000 8b0c85b8b74000 81e1ff000000 }
            // n = 7, score = 100
            //   8b0c85b8b34000       | mov                 ecx, dword ptr [eax*4 + 0x40b3b8]
            //   81e100ff0000         | and                 ecx, 0xff00
            //   33d1                 | xor                 edx, ecx
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   25ff000000           | and                 eax, 0xff
            //   8b0c85b8b74000       | mov                 ecx, dword ptr [eax*4 + 0x40b7b8]
            //   81e1ff000000         | and                 ecx, 0xff

        $sequence_7 = { 33c0 eb39 8b4d0c d1e1 51 8b5508 8b4218 }
            // n = 7, score = 100
            //   33c0                 | xor                 eax, eax
            //   eb39                 | jmp                 0x3b
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   d1e1                 | shl                 ecx, 1
            //   51                   | push                ecx
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   8b4218               | mov                 eax, dword ptr [edx + 0x18]

        $sequence_8 = { 8b4510 2bc2 50 8b4de0 2b4d0c d1f9 8b5510 }
            // n = 7, score = 100
            //   8b4510               | mov                 eax, dword ptr [ebp + 0x10]
            //   2bc2                 | sub                 eax, edx
            //   50                   | push                eax
            //   8b4de0               | mov                 ecx, dword ptr [ebp - 0x20]
            //   2b4d0c               | sub                 ecx, dword ptr [ebp + 0xc]
            //   d1f9                 | sar                 ecx, 1
            //   8b5510               | mov                 edx, dword ptr [ebp + 0x10]

        $sequence_9 = { 8b4508 0fb7481c 83f937 0f8e8d000000 8b5508 0fb7421c 8b4d08 }
            // n = 7, score = 100
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   0fb7481c             | movzx               ecx, word ptr [eax + 0x1c]
            //   83f937               | cmp                 ecx, 0x37
            //   0f8e8d000000         | jle                 0x93
            //   8b5508               | mov                 edx, dword ptr [ebp + 8]
            //   0fb7421c             | movzx               eax, word ptr [edx + 0x1c]
            //   8b4d08               | mov                 ecx, dword ptr [ebp + 8]

    condition:
        7 of them and filesize < 204800
}
Download all Yara Rules