Ranstop blocks new variant of Dharma(Crysis) ransomware

Ransomware test subject – Dharma (Crysis)

Dharma is no new ransomware. In fact, it has been around since 2016 and has seen, over time, nothing but improvements on all levels. Dharma is distributed using all possible methods, from RDP, email campaigns, infected downloads to exploit kits, mainly targeting businesses. In late 2018, Dharma gained even more notoriety after attacking the Altus Baytown Hospital in Texas (https://altushospital.org/news/notice-of-breach/), encrypting most patient records, but also other health-care institutions and government organizations.

Some variants came bundled with fake or even legitimate antivirus tools or even other legitimate software. The design distracts the user from the background processes which encrypt user files while also making the malware a little more convincing. Many are manually installable across entire networks, usually by exploiting or brute-forcing weakly protected Remote Desktop services. Some Dharma bundles even uninstall or disable some known anti-malware solutions to avoid detection.

Because Dharma gained such notoriety over time, a data recovery firm from Australia recently claimed that it could decrypt files attacked by the ransomware. Because Dharma implements encryption techniques that are almost impossible to decrypt without the actual encryption keys (stored on the C&C servers), many professionals believe that the firm simply pays the ransom on behalf of its customers.

Dharma ransomware – test findings

Our sample behaves like a classic Dharma variant. Once executed, it will immediately start encrypting, while also performing a few other operations. The malware collects some data about the infected system, alters the Windows Registry to maintain persistence, deletes system restore points and shadow volume copies of files, and sends all gathered information to the servers controlled by the cybercriminals behind the attack. Encrypted files are also renamed, a custom extension is appended to each of them, ending in ‘.abc’.

At the end of the encryption process, Dharma opens the ransom note and displays it to the user, while also dropping the same note on the desktop. It contains an email address (jackadams@airmail.cc) and some other instructions.

Businesses, but individuals as well, are advised to harden security measures and to use dedicated anti-ransomware solutions to protect their assets from Dharma variants.

Dharma ransomware vs Ranstop – test results

TEMASOFT Ranstop detects this version of Dharma ransomware soon after it starts encrypting files. Upon detection, alerts are triggered, and the malware process is stopped and quarantined. The changed files are automatically restored so that the user doesn’t lose any important document.

Click here to watch TEMASOFT Ranstop blocking Dharma(Crysis) ransomware (video)!

Learn how to protect against ransomware!

About TEMASOFT Ranstop

TEMASOFT Ranstop is an anti-ransomware software that detects present and future ransomware, based on file access pattern analysis with a high degree of accuracy. At the same time, it protects user files so that they can be restored in case of malware attacks or accidental loss.

For more information, follow us on social media and subscribe to our newsletter.