Credit to Author: Shriram Munde| Date: Mon, 16 Apr 2018 06:43:19 +0000
Estimated reading time: 3 minutesA new variant of the Dharma ransomware (‘.arrow’) has been observed in the wild. This variant appends the extension ‘.arrow’ to the files it encrypts and spreads via spam emails. How Dharma encrypts its victim’s files Once executed, the ‘.arrow’ variant of Dharma uses the below command to disable Windows’ repair and backup option using vssadmin.exe. C:Windowssystem32vssadmin.exe, vssadmin delete shadows /all /quiet It creates the below process using mode.com which is a genuine process of Windows. C:Windowssystem32mode.com, mode con cp select=1251 The actual use of mode.com is after the restart of the computer. It turns the settings of the communications port (COM port) to the default. Fig. 1 Command to delete the backup files. After execution of the above commands, Dharma starts its encryption activity. During our analysis, we found that that the ransomware basically encrypts both PE and Non-PE files and the extensions which it successfully encrypts while generating the scenario are as follows. “PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRFEncodedFiles .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJR.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG” The dropped infection marker files and encrypted files have the following pattern. Fig. 2 Encrypted files pattern. From the dropped infection marker files, .hta and .txt file have ransom note. Dharma’s ransom note Fig. 3 Ransom note Fig. 4 Ransom note Quick Heal proactively protects its users from the ‘.arrow’ variant of Dharma ransomware with its behavior-based and static detection features. Fig. 5 Behavior Detection Fig. 6 Static detection. How to stay away from ransomware Use a multi-layered antivirus that can stop real-time threats. Keep your antivirus up-to-date. Update your Operating System regularly as critical patches are released every day. Keep your software up-to-date. Never directly connect remote systems to the Internet. Do not click on links or download attachments in emails received from unknown sources. Take regular data backup and keep it in a secure location. Indicator of Compromise MD5: – d07bc4924a0b84f4f36871b47eed0593 Subject matter experts Priyanka Dhasade, Shalaka Patil, Shashikala Halagond | Quick Heal Security Labs The post Dharma ransomware resurfaces with a new variant appeared first on Quick Heal Technologies Security Blog | Latest computer security news, tips, and advice.