{"id":86147,"date":"2018-04-16T12:13:19","date_gmt":"2018-04-16T06:43:19","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=86147"},"modified":"2018-04-16T12:18:36","modified_gmt":"2018-04-16T06:48:36","slug":"dharma-ransomware-resurfaces-new-variant","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/dharma-ransomware-resurfaces-new-variant\/","title":{"rendered":"Dharma ransomware resurfaces with a new variant"},"content":{"rendered":"

A new variant of the Dharma ransomware (\u2018.arrow\u2019) has been observed in the wild. This variant appends the extension \u2018.arrow\u2019<\/strong> to the files it encrypts and spreads via spam emails.<\/p>\n

 <\/p>\n

How Dharma encrypts its victim\u2019s files<\/strong><\/p>\n

Once executed, the \u2018.arrow\u2019 variant of Dharma uses the below command to disable Windows\u2019 repair and backup<\/strong> option using vssadmin.exe.<\/p>\n

C:\\Windows\\system32\\vssadmin.exe, vssadmin delete shadows \/all \/quiet<\/p>\n

It creates the below process using mode.com which is a genuine process of Windows.<\/p>\n

C:\\Windows\\system32\\mode.com, mode\u00a0 con cp select=1251<\/p>\n

\"\"<\/p>\n

 <\/p>\n

 <\/p>\n

The actual use of mode.com is after the restart of the computer. It turns the settings of the communications port (COM port) to the default.<\/p>\n

\"\"<\/p>\n

Fig. 1 Command to delete the backup files.<\/p>\n

 <\/p>\n

After execution of the above commands, Dharma starts its encryption activity. During our analysis, we found that that the ransomware basically encrypts both PE and Non-PE files and the extensions which it successfully encrypts while generating the scenario are as follows.<\/p>\n

\u201cPNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRFEncodedFiles .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJR.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG\u201d<\/p><\/blockquote>\n

 <\/p>\n

The dropped infection marker files and encrypted files have the following pattern.<\/p>\n

\"\"<\/p>\n

Fig. 2 Encrypted files pattern.<\/p>\n

From the dropped infection marker files, .hta and .txt file have ransom note.<\/p>\n

Dharma\u2019s ransom note<\/strong><\/p>\n

\"\"<\/p>\n

Fig. 3 Ransom note<\/p>\n

\"\"<\/p>\n

Fig. 4 Ransom note<\/p>\n

Quick Heal proactively protects its users from the \u2018.arrow\u2019 variant of Dharma ransomware with its behavior-based and static detection features.<\/strong><\/p>\n

\u00a0\"\"<\/strong><\/p>\n

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Fig. 5 Behavior Detection<\/p>\n

\"\"<\/p>\n

\u00a0<\/strong>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Fig. 6 Static detection.<\/p>\n

 <\/p>\n

How to stay away from ransomware<\/strong><\/p>\n