Color by numbers: inside a Dharma ransomware-as-a-service attack

Credit to Author: gallagherseanm| Date: Wed, 12 Aug 2020 12:30:45 +0000

Dharma, a family of ransomware first spotted in 2016, continues to . Part of the reason for its longevity is that its variants have become the basis for ransomware-as-a-service (RaaS) operations—the fast-food franchise of cybercrime. Three recent attacks documented by SophosLabs and Sophos MTR have revealed a toolset used by Dharma “affliliates” that explains why attacks from so many different Dharma actors seem so identical, down to the tools and commands they use.

While other, newer ransomware families have grabbed recent headlines with high-profile victims and multi-million-dollar demands, Dharma has continued to be among the most profitable.  In part that’s because actors with access to the source code continue to innovate around delivering the ransomware as a packaged business for less-sophisticated criminal operators. The Dharma RaaS we’ve investigated is targeted at entry-level cyber-criminals, and provides a paint-by-the-numbers approach to penetrating victims’ networks and launching ransomware attacks.

The actors using this particular RaaS are equipped with a package of pre-built scripts and “grey hat” tools that requires relatively little skill to operate. The Dharma operations we’ve documented use a combination of internal Windows tools, legitimate third-party “freeware” software, well-known security tools and  publicly-available exploits, integrated together through bespoke PowerShell, batch, and AutoIT scripts. This pre-packaged toolkit, combined with back-end technical support, significantly extends the reach of the Dharma RaaS operators, allowing them to profit while their affiliates do the hands-on-keyboard work of breaching networks, dropping ransomware, and managing “customer service” with the victims.


Ransomware economics

Dharma, formerly known as CrySis, has many variants—well over  due to the sale and modification of its source code to multiple malware developers. Those transfers aren’t necessarily from the malware’s original authors, either—in March, a collection of source code for one variant of Dharma was offered for sale on Russian-language crime forums for $2000 through an intermediary.

A forum post from March 2020 offering the Dharma ransomware sourcecode for $2000.

Because of its availability, Dharma has become the center of a criminal ecosystem based on a “syndication” business model. Dharma RaaS providers offer the technical expertise and support, operating the back-end systems that support ransomware attacks. “Affiliates” (often entry-level cybercriminals) pay for the use of the RaaS, and carry out the targeted attacks themselves, using a standard toolkit. Other actors provide stolen credentials and other tools on criminal forums that enable the Remote Desktop Protocol attacks that are the predominant means of initial compromise for Dharma actors. (RDP attacks are the root cause of about 85 percent of Dharma attacks, based on statistics provided by Coveware.)

A dark web site selling RDP credentials, including some with administrative privileges. These marketplaces in some cases allow buyers to verify the accounts work before they buy them,

Ransom demands from Dharma actors trend below those of the other major types of targeted ransomware over the past year. In December of 2019, when the average ransomware demand had surged to $191,000, the average Dharma ransom demand was only $8,620. That’s in part due to the types of targets hit by Dharma (mostly small and medium businesses), and in part because of the skills, experience and location of the affiliates running the attacks. In any case, Dharma operators make up for the lower ransom demands with volume—Dharma remains one of the most profitable ransomware families, according to Coveware.

Dharma uses a complicated two-stage decryption process that partitions the affiliate actors from the actual key retrieval process. Victims who contact the attackers are given a first-stage tool that extracts information about the files that were encrypted into a text file. That text file gets cut-and-pasted into email and is sent back to the affiliates—who then have to submit that data through a portal for the RaaS to obtain the actual keys. This keeps the affiliates dependent on the RaaS, and it keeps them paying for service.

Just how well the decryption process works depends greatly on the expertise and the moods of the affiliates. Occasionally an actor will hold back some of the keys with additional demands. And there’s constant “churn” among the front-end actors, as the “subscriptions” of some to RaaS services expire and others with less experience take their place, resulting in occasional misfires.

The Dharma playbook

Most Dharma operators don’t make significant changes to the source. But Dharma RaaS operators appear to package together a number of tools and best practices for their “affiliates” to use once they’ve gotten onto a victim’s network.

These tools aren’t completely automated, as every attack does not follow the same exact steps. However, they do follow something amounting to step-by-step instructions, akin to a telemarketer’s script, allowing some room for improvisation. And one of those tools is a menu-driven PowerShell script that installs and launches the components required to spread ransomware across the network.

After getting an RDP connection,  the attacker maps a directory containing the RaaS toolkit on their local drive  as a network drive accessible from the remote desktop.  The contents of this directory include a number of applications previously identified as potentially unwanted applications (such as the Mimikatz password extraction tool), customized hacking tools,  and freeware versions of a variety of legitimate system utilities.  (A full list of the files is included in the indicators of compromise file on SophosLabs’ GitHub page. )

The kit also includes the Dharma ransomware executable, and a collection of PowerShell scripts, most of which we were unable to recover for analysis. However, we did recover a master script from console logs. Called toolbelt.ps1, the  menu-driven console script automates the use of the tools, allowing attackers to simply type in the number associated with each pre-scripted element.

When executed, it identifies itself in the console frame as “Toolbox,” and if executed with administrative privileges, advises the user/attacker, “Have fun, bro!”

The startup screen for toolbelt.ps1

The “menu”  selections in Toolbox aren’t displayed as a menu by the script as it executes, though they are largely documented in the script itself.  Tools are downloaded to the remote computer by the script as needed,  executed, and in many cases deleted after use.

The menu commands we identified, by the numbers and symbols they are called by, were as follows:



The order of the use of the toolbelt,ps1 script varies, but we have observed common patterns among Dharma attackers. In one typical attack, we saw the operators follow the following steps:

  • The attacker launched  the toolbelt script (toolbelt.ps1 -it 1)
  • 10: , delete-avservices.ps1
  • 15:  GMER (gamer.exe)
  • 13:  installing and launching ProcessHacker
    • executing processhacker-2.39-setup.exe
    • executing processhacker.exe
  • 222 :javsec.exe (Mimikatz /NL Brute wrapper)
  • 34: ipscan2.exe (Advanced IP Scanner)
  • 32:  mstsc.exe
  • 21: takeaway.exe (ransomware package)
    • executes winhost.exe (Dharma)
    • executes purgememory.ps1
  • 33: ns2.exe (network scan)

Playing by the book

While the toolbelt.ps1 script is somewhat self-documenting,  it’s clear that the end users of the script—the Dharma affiliates—are also operating from some other form of documentation.  The “toolbelt” gives them all the access they need to move laterally across the network, exploiting domain administrator level credentials that they either steal or create through elevated privileges, but it’s not clear how fully automated some of the steps of that process are. Those steps are likely detailed in a how-to document created by the Dharma RaaS operators.

The ease with which Dharma attackers are able to take these tools and effectively spread ransomware on victims’ networks demonstrates the risks posed by both grey hat and legitimate but potentially unwanted administrative tools .And it underlines the risks associated with improperly secured RDP servers, the major vector for most targeted ransomware attacks.  Given that many of these attacks are made with stolen credentials purchased in forums, the Dharma attacks may be just one of many intrusions onto victims’ networks.

The majority of these Dharma affiliate attacks can be blunted by ensuring  RDP servers are patched and secured  behind a VPN with multi-factor encryption. Organizations need to remain vigilant about credential theft through phishing, particularly as they adjust to having more employees working remotely. And attention needs to be paid to access given to to service providers and other third parties for business purposes.

Sophos detects the tools mentioned in this report as malware or PUAs. And data collected by Sophos MTR helps continuously improve detections of Dharma attacks. A full list of indicators of compromise, including detection names for the tools and malware mentioned in this report, can be found on SophosLabs’ GitHub page here.

SophosLabs would like to acknowledge the contributions of Anand  Ajjan, Andrew O’Donnell and Gabor Szappanos of SophosLabs, and  Syed Shahram Ahmed and Peter Mackenzie of the Sophos MTR Incident Response team to this report.