New Dharma Ransomware Samples Spotted in the Wild

Delaware, USA ā€“ May 17, 2018 ā€“ A new version of Dharma ransomware was discovered on May 15 by researcher Michael Gillespie. The strain adds .bip extension to the files and generates two ransom notes. The appearance of new ransomware variant may indicate the preparation of the next malicious campaign. Dharma can be distributed both via spam emails and hacked RDP connections. Ransomware deletes backups and Shadow Volume Copies, encrypts files on the attacked system, as well as on mapped network drives and network shares. Then virus configures itself to automatically run and encrypt new files each time the system is started. Attackers suggest contacting Beamsell@qq.com for further instructions. The amount of ransom is not fixed, according to the ransom note, the price depends on the time from the encryption to sending the email. Dharma uses AES-encryption, and at the moment there is no way to decrypt the files for free. In rare cases, ransomware unable to delete shadow copies, and the victim has the opportunity to restore data without paying the ransom.

Previous versions of Dharma ransomware were used primarily in attacks on organizations. Such attacks are very destructive, and recovery from their consequences requires a lot of time and money. For example, a recent attack with SamSam ransomware cost Atlanta more than $2.6 million. To monitor the security of RDP connections, you can use your SIEM with Brute Force Detection and VPN Security Monitor use cases that can notify your SIEM administrator about the beginning of the attack.