How Dharma Ransomware-as-a-Service Model WorksSophos Describes How Model Enables Low-Skilled Hackers to Target Vulnerable Small Businesses
A new study from Sophos describes how the Dharma ransomware-as-a-service model offers low-skilled hackers the ability to profit from attacks on unprotected small businesses.
While other ransomware variants, such as Maze and Sodinokibi, have grabbed headlines with large-scale attacks and multimillion dollar payouts, the operators of Dharma and their affiliates have focused on getting smaller ransom payments from victims that lack sufficient security measures, Sophos reports (see: Ransomware: Average Business Payout Surges to $111,605).
In December 2019, when the average ransomware demand had surged to $191,000, the average Dharma ransom demand was only $8,620. That's due to the kinds of victims targeted by Dharma - mostly small and midsized businesses - as well as the skills, experience and location of the affiliates running these attacks, according to the Sophos report.
The operators behind Dharma work on developing the malware, maintaining the infrastructure and facilitating payments. They give affiliates with little skills a toolset to compromise the victims and run the attack.
"Dharma is fast-food franchise ransomware widely and easily available to just about anyone," Sean Gallagher, senior threat researcher at Sophos, notes in the report. "Dharma’s ransomware-as-a-service offerings expand the range of people who can execute devastating ransomware attacks. That’s worrying enough in itself in normal times."
Menu of Variants
Dharma, formerly called CrySis, has a large menu of variants and a criminal ecosystem for the RaaS offering, the report notes.
"'Affiliates' (often entry-level cybercriminals) pay for the use of the RaaS and carry out the targeted attacks themselves, using a standard toolkit,” the report states. “Other actors provide stolen credentials and other tools on criminal forums that enable the Remote Desktop Protocol attacks that are the predominant means of initial compromise for Dharma actors.”
The Sophos report notes that about 85% of all Dharma attacks spotted this year started with the hackers taking advantage of vulnerabilities in RDP - a proprietary Microsoft communications protocol that enables system administrators and employees to connect to corporate networks from remote computers.
Since the COVID-19 pandemic led to a shift to a remote workforce, security firms, including ESET and Kaspersky, have noted a sharp increase in brute-force and other attacks looking to exploit unpatched RDP connections to gain a foothold into networks (see: Brute-Force Attacks Targeting RDP on the Rise).
Affiliates Are Dependent
Dharma's operators don’t allow affiliates to have full control over the decryptor keys, according to the Sophos report.
"Victims who contact the attackers are given a first-stage tool that extracts information about the files that were encrypted into a text file. That text file gets pasted into email and is sent back to the affiliates - who then have to submit that data through a portal for the RaaS to obtain the actual keys," Sophos says.
Once their payment to the main gang has been received, a typical Dharma affiliate will get access to a toolkit containing the malware and instructions for performing an attack, Sophos notes.
The affiliate receives a menu-driven PowerShell script that installs and launches the components required to spread ransomware across the network. When the RDP connection is made with the victim, the toolkit, which resides as a directory on the threat actor's computer, is mapped to the target network as an accessible network drive, Sophos says.
The directory contains a number of applications - such as the Mimikatz password extraction tool, customized hacking tools and freeware versions of a variety of legitimate system utilities - along with the Dharma ransomware executable filer, according to Sophos.
Sophos says the majority of Dharma attacks can be stopped by ensuring RDP servers are patched and secured behind a VPN with multifactor authentication.