Dharma ransomware made its first appearance in November 2016. The ransomware was spotted encrypting files with extensions such as .wallet, .dharma, .zzz, .brrr, and more.
Dharma ransomware was observed attacking victims by hacking open RDP ports. The attackers scan for the systems running RDP (TCP port 3389), and then attempt to brute force the password for the systems.
Once victims are infected with Dharma ransomware, they are presented with a ransom note that instructs them to email the attackers for further instructions. The note states that the price of the ransom depends on how fast the victims respond.
The note also offers ‘free decryption as guarantee’ option offering victims the chance to get up to three files decrypted for free.
Master decryption keys for Dharma ransomware released
In March 2017, the master decryption keys for Dharma ransomware were released, which was used to update RakhniDecryptor tool in order to decrypt files encrypted by Dharma.
Later the same year, the master decryption keys for the .wallet version of Dharma ransomware was released.
New variants of Dharma ransomware
The attack on ABH hospital
Dharma ransomware attacked ABH hospital stealing patient records. The ransomware encrypted most of the hospital’s data, including patients’ personal information such as names, home addresses, dates of birth, social security numbers, driver license numbers, credit card information, phone numbers, and medical data.
The hospital believed that the data was only encrypted and has not been accessed by any unauthorized parties. However, they removed the ransomware from the infected systems.
The attack on ABCD Children's Pediatrics
ABCD Children's Pediatrics in San Antonio was hit by Dharma ransomware compromising almost 55,447 patients’ personal information to the attackers. The ransomware encrypted the stolen personal data of 55,447 patients.
The Attack on Urology Austin
Dharma ransomware attack on Urology Austin affected almost 279,663 patients. The attack led to Urology Austin compromising personal and health information of 277,663 patients. That compromised information includes patient names, addresses, dates of birth, Social Security numbers, and medical information.
The attack on Metropolitan Urology
Metropolitan Urology was hit by Dharma ransomware attack exposing data of nearly 17,634 patients. Two of the organization’s servers were infected by the Dharma ransomware, which led to exposing patients’ data.
The exposed information included patients’ names, account numbers, provider identification, medical procedure codes and data of the provided services. About five of these patients also had their Social Security numbers exposed.
Researchers' recommendations
Publisher