Dharma Ransomware: A deep dive into the ransomware’s new variants and massive attacks

  • Dharma ransomware made its first appearance in November 2016 after the master decryption keys for the Crysis ransomware was released to the public.
  • Dharma ransomware primarily targets healthcare providers in the United States.

Dharma ransomware made its first appearance in November 2016. The ransomware was spotted encrypting files with extensions such as .wallet, .dharma, .zzz, .brrr, and more.

Dharma ransomware was observed attacking victims by hacking open RDP ports. The attackers scan for the systems running RDP (TCP port 3389), and then attempt to brute force the password for the systems.

Once victims are infected with Dharma ransomware, they are presented with a ransom note that instructs them to email the attackers for further instructions. The note states that the price of the ransom depends on how fast the victims respond.

The note also offers ‘free decryption as guarantee’ option offering victims the chance to get up to three files decrypted for free.

Master decryption keys for Dharma ransomware released

In March 2017, the master decryption keys for Dharma ransomware were released, which was used to update RakhniDecryptor tool in order to decrypt files encrypted by Dharma.

Later the same year, the master decryption keys for the .wallet version of Dharma ransomware was released.

New variants of Dharma ransomware

  • In August 2017, a new version of Dharma ransomware with extension .arena was used to encrypt files. The same year, in December, Dharma variant with the .java extension was released.
  • In February 2018, a new variant of Dharma with extension .arrow was used to encrypt files.
  • In May 2018, researchers spotted the Dharma variant with .bip extension. This variant also encrypts mapped network drives, shared virtual machine host drives, and unmapped network shares that are not protected with access permissions.
  • In September 2018, a new Dharma variant that appends the .brrr extension to the encrypted files was released. The files that were infected by this variant did not have a chance to be decrypted for free.
  • The same month, three new variants were released that append either the .Gamma, .Bkp, and .Monro extensions to encrypted files. When victims are infected with these variants their files will be encrypted and renamed. These variants will also drop a ransom note with payment instructions.
  • On October 8, 2018, a new Dharma Ransomware variant that appends the .boost extension to encrypted files uploaded to ID Ransomware.
  • Between November 5, 2018, and November 9, 2018, a security researcher Michael Gillespie discovered four new Dharma ransomware variants that append either the .adobe, .tron, .Audit, and .cccmn extensions to encrypted files.
  • The latest version the Dharma Ransomware that appends the .fire extension to encrypted files was discovered on November 18, 2018, by a researcher named Jakub Kroustek.

The attack on ABH hospital

Dharma ransomware attacked ABH hospital stealing patient records. The ransomware encrypted most of the hospital’s data, including patients’ personal information such as names, home addresses, dates of birth, social security numbers, driver license numbers, credit card information, phone numbers, and medical data.

The hospital believed that the data was only encrypted and has not been accessed by any unauthorized parties. However, they removed the ransomware from the infected systems.

The attack on ABCD Children's Pediatrics

ABCD Children's Pediatrics in San Antonio was hit by Dharma ransomware compromising almost 55,447 patients’ personal information to the attackers. The ransomware encrypted the stolen personal data of 55,447 patients.

The Attack on Urology Austin

Dharma ransomware attack on Urology Austin affected almost 279,663 patients. The attack led to Urology Austin compromising personal and health information of 277,663 patients. That compromised information includes patient names, addresses, dates of birth, Social Security numbers, and medical information.

The attack on Metropolitan Urology

Metropolitan Urology was hit by Dharma ransomware attack exposing data of nearly 17,634 patients. Two of the organization’s servers were infected by the Dharma ransomware, which led to exposing patients’ data.

The exposed information included patients’ names, account numbers, provider identification, medical procedure codes and data of the provided services. About five of these patients also had their Social Security numbers exposed.

Researchers' recommendations

  • In order to stay protected from Dharma ransomware, it is important to have a reliable and tested backup of your data that can be restored in the case of a ransomware attack.
  • Usually, Dharma ransomware attacks via hacked Remote Desktop services. Therefore, it is important to ensure that no computers running remote desktop services are connected directly to the Internet.
  • It is also important to set up proper account lockout policies so that it makes it difficult for accounts to be brute forced over Remote Desktop Services. Instead, make it accessible only via VPN.
  • It is recommended to ensure that you have a security system installed which scans all attachments. Moreover, exercise caution while opening attachments from an anonymous sender.