The CrySIS/Dharma ransomware family continues to evolve with new versions cropping up in the wild. Following the leak of the source code for one variant, several attackers began repurposing and utilizing new versions of the malware. As a result, encountering new variants of this particular ransomware became frequent.

Initial access

To gain access to the victim’s machine, CrySIS/Dharma operators abuse exposed RDP servers and also attempt to infiltrate via phishing techniques. In phishing, the attachments are often masked as installation files for genuine software (AV vendors).

Minor differences in new variants

Cyble Reseachers have observed multiple new variants, with most having slight differences among them in terms of file extensions and ransom notes.
  • When executed, all the new variants set the console to codepage 1251, which has the ability to use Cyrillic languages. 
  • Further, the variants delete the shadow copies of the device to hinder any attempts of recovery.
  • An additional copy of the ransomware is copied to the host’s startup folder to make sure it restarts the system before encryption.
  • Encrypted file extension refers to the attackers controlling the ransomware, though it varies widely. Some of the observed file extensions include .mao, .CY3, and .d0n.

Post-encryption activities/details

  • Post-encryption, the ransomware executes the Microsoft HTML Application (MSHTA) to process and display a file, Info[.]hta, that contains the ransom details. Copies of this file are saved in four separate locations.
  • While variations have been observed in the ransom notes, all of them include a method to reach the attacker.
  • In addition to the Info[.]hta file, a separate file named info[.]txt is dropped. It includes a shortened set of instructions to reach the attacker. A copy of this file is dropped at multiple locations.

Concluding notes

Due to the frequent appearance of new variants, it has become important to adopt a behavior-based detection mechanism in addition to traditional signature-based security. Further, organizations should make foundational changes to the frequency, location, and security of data backups to properly deal with the evolving and expanding risk of ransomware.
Cyware Publisher