Dharma Ransomware Makes A New Hacking Tool To Turn Cyber Crime Easy
Well known Ransomware Family Named Dharma Reportedly Created A New Hacking Tool
The Dharma Ransomware-as-a-Service reportedly makes it easy for cyber criminals to do ransomware business by offering a new toolkit that can offer them to perform everything. Technically, RaaS operation is said to be a cyber crime model under which the developers use to manage ransomware development and payment system. At the moment, the experts have to say that affiliates are basically responsible for compromising victims and deploying the ransomware on targeted machine.
Since the model is based on affiliate marketing strategies, the developers use to earn around 30-40 percent of ransom payment, while the affiliates earn the rest of the money as commission.
As noticed in most of the enterprise based ransomware groups, they operate as a private RaaS model under which the most talented hackers are mostly invited to join. For an instance, the Revil RaaS needs all its potential affiliates to be interviewed and show the proof if they are really experienced hackers.
Although, the list of ransomware family is long, the oldest one is Dharma ransomware as of today. This ransomware was first named are CrySIS ransomware around March 2016, but later it came back with a new variant and named as Dharma ransomware which used to append with extension .dharma. Following the same, all its new strains are termed as Dharma.
In most of the cases, the enterprise based RaaS operation usually demands around a hundred thousands million dollars as ransom payments, the Dharma just asks their targets to pay with average demands around $9000 only.
However, with the new toolkit released and offered to its affiliates, its low price may reflect the low bar of entry.
Dharma Ransomware is offering a toolkit for its wannabe hackers
As per the researches from Sophos states, that Dharma caters to a less experienced affiliates and this is why its ransom demands are much lower in compare to other RaaS operations. With the help of newly created toolkit by Dharma developers, any wannabe hackers can manage to compromise a network.
Technically, this newly made toolkit is named as Toolbelt which is a Powershell script which if executes, allow the attackers to download and execute a number of possible tools from mapped Remote Desktop shared \\tsclient\e folder. While using the toolkit, the affiliates will require just to enter a number to corresponding tasks withing 62 included functions, and the task will be executed.
Once the command is passed through the utility, it downloads the essential executables from the Remote Desktop and share those over targeted machine and execute the same.
The aforementioned toolkit also allows the affiliates to spread through a newor with the help of various utilities like Mimikatz to harvest passwords, NorSoft Remote Desktop PassView to steal RDP passwords, and similarly many more other tools are used as well to deploy the ransomware successfully.
Experts have to say that the affiliates’ Remote Desktop share to be properly setup and accessible for the commands to execute correctly, after getting the toolkit. This remote share demonstrates that the toolkit is a part of a large package which is distributed by RaaS.
For those hackers who are not enough experienced, this toolkit includes all the programs that affiliates require to seal passwords and spread to other machine connected through a network, and finally manage to deploy the ransomware correctly.
Noticed pattern in Dharma ransomware attacks
During researchers and analysis by Sophos, they have noticed a pattern in Dharma attacks that a group of affiliates commonly perform many steps while using the toolkit, and the steps include:
- The attacker launched the toolbelt script (toolbelt.ps1 -it 1)
- delete-avservices.ps1
- GMER (gamer.exe)
- installing and launching ProcessHacker
- executing processhacker-2.39-setup.exe
- executing processhacker.exe
- :javsec.exe (Mimikatz /NL Brute wrapper)
- ipscan2.exe (Advanced IP Scanner)
- mstsc.exe
- takeaway.exe (ransomware package)
- executes winhost.exe (Dharma)
- executes purgememory.ps1
- ns2.exe (network scan)
According to researchers, it’s also found that RaaS use to provide its documentation as well regarding how to use to toolkit to spread the ransom attack laterally through a network. They have to say that they seen a number of cases of attacks and it all seems the documentation likely offers a set of steps to affiliates which they should follow in order to deploy the threat.
Means, with the creation of new toolkit by Dharma developers, they can easily recruit more potential affiliates, and this larger pool of distributors easily allows them to spread the malware globally to target a large number of victims easily, and taking through this approach, they can easily makeup the loss of smaller ransoms by increasing the volume of attacks.