{"id":86176,"date":"2018-05-02T15:57:50","date_gmt":"2018-05-02T10:27:50","guid":{"rendered":"https:\/\/blogs_admin.quickheal.com\/?p=86176"},"modified":"2018-05-09T17:54:12","modified_gmt":"2018-05-09T12:24:12","slug":"analysis-dharma-ransomware-outbreak-quick-heal-security-labs","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/analysis-dharma-ransomware-outbreak-quick-heal-security-labs\/","title":{"rendered":"An analysis of the Dharma ransomware outbreak by Quick Heal Security Labs"},"content":{"rendered":"<p>On April 25, 2018, Quick Heal Security Labs issued an advisory on a new ransomware outbreak. We are observing a sudden spike of Dharma Ransomware. Even though Dharma ransomware is old, we observed its new variant which is encrypting files and appending the \u201c.arrow\u201d extension to it. Previously the encrypted files were having the \u201c.dharma\u201d extension.<\/p>\n<p><strong>Infection Vector<\/strong><\/p>\n<p>As specified in the advisory, along with the RDP brute force attack, we suspect that any one of the below infection vectors can be used to spread the ransomware.<\/p>\n<ol>\n<li>Spam and phishing emails<\/li>\n<li>Exploit Kits<\/li>\n<li>SMB vulnerabilities like (EternalBlue, etc.)<\/li>\n<li>Drive-by-downloads<\/li>\n<li>Dropped by other malware<\/li>\n<\/ol>\n<p>So, largely we will categorize these infection vectors into two categories.<\/p>\n<ul>\n<li>Vector 1 &#8211; RDP Brute Force Attack<\/li>\n<li>Vector 2 \u2013 Other Suspicious means<\/li>\n<\/ul>\n<p>Let\u2019s take a look at these infection vectors in detail.<\/p>\n<p><strong>Vector 1 &#8211; RDP Brute Force Attack<\/strong><\/p>\n<p>In this vector, the Remote Desktop Protocol (RDP) running on port 3389, is targeted with a typical brute force attack. As a result of the brute force, the attacker gets hold of victim\u2019s administrative user credentials. Once credentials are obtained he gets the ability to carry out any type of attack. In this case, ransomware is used to infect the system. Also, it\u2019s observed, before executing the ransomware payload it uninstalls the security software installed on the system.<\/p>\n<p>We strongly advise our users to protect themselves by applying the below-mentioned firewall policies in Quick Heal\/Seqrite firewall feature.<\/p>\n<ul>\n<li>Deny access to Public IPs to important ports (in this case RDP port 3389)<\/li>\n<li>Allow access to only IPs which are under your control<\/li>\n<li>Along with blocking RDP port, we also suggest blocking SMB port 445. In general, it\u2019s advised to block unused ports.<\/li>\n<\/ul>\n<p>Get more such safety measures <a href=\"https:\/\/blogs.quickheal.com\/ransomware-alert-follow-steps-secure-system-ongoing-ransomware-attack\/\">here<\/a>.<\/p>\n<p><strong>Vector 2 \u2013 Other suspicious means<\/strong><\/p>\n<p>Here the source of infection is unknown but when we started analyzing the attack chain, it landed us on an interesting set of entries in victim\u2019s registry. These were autorun PowerShell script entries in the registry under HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services. Which drops and execute multiple malicious components. Below are the different components observed.<\/p>\n<ul>\n<li>Inf.exe &#8211; It enables RDP and runs sticky key exploit.<\/li>\n<li>i.exe &#8211; Gets the list of IP addressed from APR cache and sends to CnC server.<\/li>\n<li>ipcheck.exe &#8211; It also finds out the list of IP address and passes on to \u2018sc.exe\u2019.<\/li>\n<li>sc.exe &#8211; This is WannaCry scanner tool which runs on the list of IP address passed by \u2018ipcheck.exe\u2019. This gives a list of vulnerable machines, this list is sent to CnC server by \u2018ipcheck.exe\u2019.<\/li>\n<li>rc.exe &#8211; This is main payload i.e Dharma ransomware<\/li>\n<\/ul>\n<p><strong>Malicious registry entries<\/strong><\/p>\n<p>Below were the malicious registry entries found.<\/p>\n<figure id=\"attachment_86177\" aria-describedby=\"caption-attachment-86177\" style=\"width: 650px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-86177\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/05\/Registry_Entry-650x95.png\" alt=\"\" width=\"650\" height=\"95\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Registry_Entry-650x95.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Registry_Entry-300x44.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Registry_Entry-768x113.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Registry_Entry-789x116.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Registry_Entry.png 1267w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-86177\" class=\"wp-caption-text\">Fig 1. Powershell autorun registry entries<\/figcaption><\/figure>\n<p><strong>inf.exe<\/strong><\/p>\n<p>The \u2018inf.exe\u2019 component is mainly used to enable the Remote Desktop Protocol (RDP) on the victim\u2019s machine.<\/p>\n<p>It pretends itself as genuine Microsoft Corporations dllhost file. More details are as shown in the figure below.<\/p>\n<figure id=\"attachment_86178\" aria-describedby=\"caption-attachment-86178\" style=\"width: 477px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-86178\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/05\/Version_Details.png\" alt=\"\" width=\"477\" height=\"207\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Version_Details.png 477w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Version_Details-300x130.png 300w\" sizes=\"(max-width: 477px) 100vw, 477px\" \/><figcaption id=\"caption-attachment-86178\" class=\"wp-caption-text\">Fig 2. Fake version information of \u2018inf.exe\u2019 and \u2018dllhost.exe\u2019<\/figcaption><\/figure>\n<p>Once executed it drops self-copy at \u2018<em>%system32%\\DllHost\\dllhost.exe<\/em>\u2019<\/p>\n<p>It registers itself as a service for autorun on the next boot with name \u201cCOM Surrogate\u201d as follows<\/p>\n<p><em>[HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\COM Surrogate]<\/em><\/p>\n<p><em>&#8220;ImagePath&#8221;=C:\\Windows\\system32\\DllHost\\DllHost s<\/em><\/p>\n<p><em>&#8220;DisplayName&#8221;=&#8221;COM Surrogate&#8221;<\/em><\/p>\n<p>Malware executes following steps to Enable RDP.<\/p>\n<p>Adds\/Modify Registry Keys:<\/p>\n<p>HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\fDenyTSConnections = 0<\/p>\n<p>HKLM\\System\\CurrentControlSet\\Control\\Terminal Server\\AllowTSConnections = 0<\/p>\n<p>Executes Commands:<\/p>\n<figure id=\"attachment_86179\" aria-describedby=\"caption-attachment-86179\" style=\"width: 650px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-86179\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/05\/Terminal_Service_Entry-650x50.png\" alt=\"\" width=\"650\" height=\"50\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Terminal_Service_Entry-650x50.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Terminal_Service_Entry-300x23.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Terminal_Service_Entry.png 760w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-86179\" class=\"wp-caption-text\">Fig 3. Enable Remote desktop<\/figcaption><\/figure>\n<p>Once RDP has enabled it creates a new user from one of the hardcoded username list and randomly generates a password for it. Further, it gives administrative privileges to the newly created user account and enables this account for the remote session. Figure 4 shows the commands used to perform above-mentioned activities.<\/p>\n<figure id=\"attachment_86180\" aria-describedby=\"caption-attachment-86180\" style=\"width: 650px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-86180\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/05\/Create_User_on-Victim_Machine-650x35.png\" alt=\"\" width=\"650\" height=\"35\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Create_User_on-Victim_Machine-650x35.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Create_User_on-Victim_Machine-300x16.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Create_User_on-Victim_Machine-768x41.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Create_User_on-Victim_Machine-789x42.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Create_User_on-Victim_Machine.png 1099w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-86180\" class=\"wp-caption-text\">Fig 4. Create a new user on the victim\u2019s machine<\/figcaption><\/figure>\n<p>Here is a hardcoded list of usernames:<\/p>\n<figure id=\"attachment_86181\" aria-describedby=\"caption-attachment-86181\" style=\"width: 128px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-86181\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/05\/User_Names-128x390.png\" alt=\"\" width=\"128\" height=\"390\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/User_Names-128x390.png 128w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/User_Names.png 143w\" sizes=\"(max-width: 128px) 100vw, 128px\" \/><figcaption id=\"caption-attachment-86181\" class=\"wp-caption-text\">Fig 5. Hard-coded list of usernames<\/figcaption><\/figure>\n<p>It connects to a CnC server and sends victim\u2019s data.<\/p>\n<figure id=\"attachment_86182\" aria-describedby=\"caption-attachment-86182\" style=\"width: 650px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-86182\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/05\/Send_User_Info_Server-650x174.png\" alt=\"\" width=\"650\" height=\"174\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Send_User_Info_Server-650x174.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Send_User_Info_Server-300x80.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Send_User_Info_Server-768x205.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Send_User_Info_Server-789x211.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Send_User_Info_Server.png 854w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-86182\" class=\"wp-caption-text\">Fig 6. Sends users data to the CnC server<\/figcaption><\/figure>\n<p>The POST parameters sent to CnC are as follows:<\/p>\n<p>bits: Processor 32\/64 bit<br \/>\ncpun: CPU details<br \/>\nosv: OS Version<br \/>\nusername: Username of created account<br \/>\nuserpass: Password of created account.<\/p>\n<p>The server looks like a server of an infobot hosted at \u2018hxxp:\/\/92.63.197.52\/tundr\/info2.php\u2019.<\/p>\n<p><strong>i.exe \/ ipcheck.exe and sc.exe<\/strong><\/p>\n<p>Both components scan for a vulnerability in the systems present in the network and send the information to the server mentioned above.<\/p>\n<p><strong>i.exe \/ ipcheck.exe <\/strong>check for IPs present in ARP cache with the following command:<\/p>\n<figure id=\"attachment_86184\" aria-describedby=\"caption-attachment-86184\" style=\"width: 312px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-86184\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/05\/Executeing_Arp_command.png\" alt=\"\" width=\"312\" height=\"61\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Executeing_Arp_command.png 312w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Executeing_Arp_command-300x59.png 300w\" sizes=\"(max-width: 312px) 100vw, 312px\" \/><figcaption id=\"caption-attachment-86184\" class=\"wp-caption-text\">Fig 7. Command to check IPs present in ARP cache<\/figcaption><\/figure>\n<p>Output:<\/p>\n<figure id=\"attachment_86185\" aria-describedby=\"caption-attachment-86185\" style=\"width: 442px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-86185\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/05\/Output_of_Arp_Command.png\" alt=\"\" width=\"442\" height=\"55\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Output_of_Arp_Command.png 442w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Output_of_Arp_Command-300x37.png 300w\" sizes=\"(max-width: 442px) 100vw, 442px\" \/><figcaption id=\"caption-attachment-86185\" class=\"wp-caption-text\">Fig 8. Output: IPs present in ARP cache<\/figcaption><\/figure>\n<p>It creates a pipe to save the above data. It reads the output and extract the IPs from it and give it as input to the sc.exe.<\/p>\n<p>\u2018sc.exe\u2019 is a vulnerability scanner, it scans the IP given as input for WannaCry vulnerability and saves the result into out.txt.<\/p>\n<p>\u2018sc.exe\u2019 is a WannaCry scanner tool by BiZone and it\u2019s a vulnerability scanner for MS17-010 vulnerabilities.<\/p>\n<figure id=\"attachment_86186\" aria-describedby=\"caption-attachment-86186\" style=\"width: 271px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-86186\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/05\/Wannacry_Scanner_tool.png\" alt=\"\" width=\"271\" height=\"40\" \/><figcaption id=\"caption-attachment-86186\" class=\"wp-caption-text\">Fig 9. WannaCry scanner tool<\/figcaption><\/figure>\n<p><strong>Command executed: <\/strong><\/p>\n<figure id=\"attachment_86187\" aria-describedby=\"caption-attachment-86187\" style=\"width: 650px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-86187\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/05\/Wannacry_Scanner_tool_Command_Executed.png-650x50.jpg\" alt=\"\" width=\"650\" height=\"50\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Wannacry_Scanner_tool_Command_Executed.png-650x50.jpg 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Wannacry_Scanner_tool_Command_Executed.png-300x23.jpg 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Wannacry_Scanner_tool_Command_Executed.png-768x59.jpg 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Wannacry_Scanner_tool_Command_Executed.png.jpg 783w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-86187\" class=\"wp-caption-text\">Fig 10. WannaCry scanner tool scanning for ip.<\/figcaption><\/figure>\n<p>The above command is executed for every IP present in the ARP cache list.<\/p>\n<p>Output from command in the above figure is saved in the out.txt in the working directory:<\/p>\n<figure id=\"attachment_86188\" aria-describedby=\"caption-attachment-86188\" style=\"width: 650px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-86188\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/05\/Output_of_Wannacry_Scanner_tool-650x101.png\" alt=\"\" width=\"650\" height=\"101\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Output_of_Wannacry_Scanner_tool-650x101.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Output_of_Wannacry_Scanner_tool-300x47.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Output_of_Wannacry_Scanner_tool-768x120.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Output_of_Wannacry_Scanner_tool-789x123.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Output_of_Wannacry_Scanner_tool.png 983w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-86188\" class=\"wp-caption-text\">Fig 11. Output of WannaCry scanner tool.<\/figcaption><\/figure>\n<p>i.exe\/ipcheck.exe then parse \u201cout.txt\u201d to check for the vulnerable systems present in ARP caches IP list and then send the count of the vulnerable system to the server i.e. <strong>hxxp:\/\/92.63.197.52\/tundr\/infolan.php <\/strong>shown in the figure below.<\/p>\n<figure id=\"attachment_86189\" aria-describedby=\"caption-attachment-86189\" style=\"width: 424px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-86189\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/05\/Send_Lan_Info_Server.png\" alt=\"\" width=\"424\" height=\"24\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Send_Lan_Info_Server.png 424w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Send_Lan_Info_Server-300x17.png 300w\" sizes=\"(max-width: 424px) 100vw, 424px\" \/><figcaption id=\"caption-attachment-86189\" class=\"wp-caption-text\">Fig 12. Sends the vulnerable system\u2019s information to the server<\/figcaption><\/figure>\n<p>Above is the data send to the IP, number of vulnerable systems i.e. 9.<\/p>\n<p><strong>rc.exe<\/strong><\/p>\n<p>The rc.exe is main payload i.e., <strong>Dharma ransomware<\/strong>. This variant appends the extension \u2018<strong>.arrow\u2019<\/strong>\u00a0to the files it encrypts.<\/p>\n<p>Once executed, it uses the below command to disable Windows\u2019\u00a0<strong>repair and backup <\/strong>option using vssadmin.exe.<\/p>\n<p><em>C:\\Windows\\system32\\vssadmin.exe, vssadmin delete shadows \/all \/quiet<\/em><\/p>\n<p>It uses the below command i.e. mode.com which is a genuine process of Windows.<\/p>\n<p><em>C:\\Windows\\system32\\mode.com, mode\u00a0con cp select=1251<\/em><\/p>\n<figure id=\"attachment_86190\" aria-describedby=\"caption-attachment-86190\" style=\"width: 650px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-86190\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/05\/Command_to_delete_the_backup_files-650x67.png\" alt=\"\" width=\"650\" height=\"67\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Command_to_delete_the_backup_files-650x67.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Command_to_delete_the_backup_files-300x31.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Command_to_delete_the_backup_files-768x79.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Command_to_delete_the_backup_files-789x81.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Command_to_delete_the_backup_files.png 996w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-86190\" class=\"wp-caption-text\">Fig. 13 Command to delete the backup files.<\/figcaption><\/figure>\n<p>After execution of the above commands, Dharma ransomware starts its encryption activity. During our analysis, we found that that the ransomware basically encrypts both PE and Non-PE files and the extensions which it successfully encrypts while generating the scenario are as follows.<\/p>\n<p>\u201c.PNG .PSD .PSP .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV .DWG .DXF.GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX .INI .PRF .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJR.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG, .BZ2, .1CD\u201d<\/p>\n<p>If the file size is greater than 98304 bytes, the ransomware overwrites this file with encrypted content else creates a new file with encrypted content and deletes the old one. The ransomware encrypts all the above-mentioned extension files using AES 256 algorithm. The AES key is further encrypted with an RSA 1024. This encrypted AES key is kept at the end of the encrypted file.<\/p>\n<p>The dropped infection marker files and encrypted files have the following pattern.<\/p>\n<figure id=\"attachment_86191\" aria-describedby=\"caption-attachment-86191\" style=\"width: 650px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-86191\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/05\/Encrypted_files_Extension-650x215.png\" alt=\"\" width=\"650\" height=\"215\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Encrypted_files_Extension-650x215.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Encrypted_files_Extension-300x99.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Encrypted_files_Extension-768x254.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Encrypted_files_Extension-789x260.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Encrypted_files_Extension.png 839w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-86191\" class=\"wp-caption-text\">Fig. 14 Encrypted files Extension.<\/figcaption><\/figure>\n<p>From the dropped infection marker files, .hta file has a ransom note.<\/p>\n<p><strong>Dharma\u2019s ransom note<\/strong><\/p>\n<figure id=\"attachment_86192\" aria-describedby=\"caption-attachment-86192\" style=\"width: 650px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-86192\" src=\"https:\/\/blogs_admin.quickheal.com\/wp-content\/uploads\/2018\/05\/Ransom_note-650x306.png\" alt=\"\" width=\"650\" height=\"306\" srcset=\"https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Ransom_note-650x306.png 650w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Ransom_note-300x141.png 300w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Ransom_note-768x361.png 768w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Ransom_note-789x371.png 789w, https:\/\/www.quickheal.com\/blogs\/wp-content\/uploads\/2018\/05\/Ransom_note.png 1469w\" sizes=\"(max-width: 650px) 100vw, 650px\" \/><figcaption id=\"caption-attachment-86192\" class=\"wp-caption-text\">Fig. 15 Ransom note<\/figcaption><\/figure>\n<p><strong>Indicators of compromise:<\/strong><\/p>\n<p>7F37D17FCF507FBE7178882C9FBDE9DE<br \/>\n75C661F9DE5ADDC39951609F4E6817D4<br \/>\n05F62E28BE944C20650CD7A71B23312A<br \/>\n9E34B848FFE0F59EBEDC987695B633C8<br \/>\n70197A207C96188378B0B00833DC1EA1<br \/>\n2C9369AD62175AF8C5B9F993443F4743<br \/>\n551918E2DB5CD8EE29275D5BDA082192<br \/>\n6E35AB370A9AD9398B5E90F16EFAD759<br \/>\nEA0510F17D13DEED333CD785446B5C14<br \/>\n7FA4B675B3413A2606C94B923B8B1E79<\/p>\n<p>hxxp:\/\/92.63.197.52\/tundr\/info2[.]php<br \/>\nhxxp:\/\/92.63.197.52\/tundr\/infolan[.]php<br \/>\nhxxp:\/\/cocinaparahombres.com\/nutricion\/i[.]exe<br \/>\nhxxp:\/\/cocinaparahombres.com\/nutricion\/sc[.]exe<br \/>\nhxxp:\/\/cocinaparahombres.com\/nutricion\/ipcheck[.]exe<br \/>\nhxxp:\/\/aloneintheweb.com\/assets\/info[.]exe<br \/>\nhxxp:\/\/www.netdenjd.com\/article\/inf[.]exe<\/p>\n<p><strong>We recommend our users to apply the latest Microsoft update packages and keep their antivirus <\/strong><strong>up-to-date.<\/strong><\/p>\n<p><strong>Subject Matter Experts<\/strong><\/p>\n<p>Prakash Galande, Pandurang Terkar, Dhwanit Shrivastava | Quick Heal Security Labs<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On April 25, 2018, Quick Heal Security Labs issued an advisory on a new ransomware outbreak. We are observing a sudden spike of Dharma Ransomware. Even though Dharma ransomware is old, we observed its new variant which is encrypting files and appending the \u201c.arrow\u201d extension to it. Previously the encrypted files were having the \u201c.dharma\u201d [&hellip;]<\/p>\n","protected":false},"author":12,"featured_media":84495,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24,1495,151,910,5,36],"tags":[1593,1594,1595],"class_list":["post-86176","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware","category-nransomware","category-password","category-ransomware","category-security","category-security-patch","tag-dharma-ransomware","tag-rdp-brute-force","tag-remote-desktop-protocol"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86176"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=86176"}],"version-history":[{"count":11,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86176\/revisions"}],"predecessor-version":[{"id":86231,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/86176\/revisions\/86231"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/84495"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=86176"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=86176"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=86176"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}