{"id":12014,"date":"2018-04-15T23:20:03","date_gmt":"2018-04-16T07:20:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/04\/15\/news-5783\/"},"modified":"2018-04-15T23:20:03","modified_gmt":"2018-04-16T07:20:03","slug":"news-5783","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/04\/15\/news-5783\/","title":{"rendered":"Dharma ransomware resurfaces with a new variant"},"content":{"rendered":"

Credit to Author: Shriram Munde| Date: Mon, 16 Apr 2018 06:43:19 +0000<\/strong><\/p>\n

Estimated reading time: 3 minutesA new variant of the Dharma ransomware (\u2018.arrow\u2019) has been observed in the wild. This variant appends the extension \u2018.arrow\u2019 to the files it encrypts and spreads via spam emails.   How Dharma encrypts its victim\u2019s files Once executed, the \u2018.arrow\u2019 variant of Dharma uses the below command to disable Windows\u2019 repair and backup option using vssadmin.exe. C:Windowssystem32vssadmin.exe, vssadmin delete shadows \/all \/quiet It creates the below process using mode.com which is a genuine process of Windows. C:Windowssystem32mode.com, mode\u00a0 con cp select=1251     The actual use of mode.com is after the restart of the computer. It turns the settings of the communications port (COM port) to the default. Fig. 1 Command to delete the backup files.   After execution of the above commands, Dharma starts its encryption activity. During our analysis, we found that that the ransomware basically encrypts both PE and Non-PE files and the extensions which it successfully encrypts while generating the scenario are as follows. \u201cPNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRFEncodedFiles .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJR.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG\u201d   The dropped infection marker files and encrypted files have the following pattern. Fig. 2 Encrypted files pattern. From the dropped infection marker files, .hta and .txt file have ransom note. Dharma\u2019s ransom note Fig. 3 Ransom note Fig. 4 Ransom note Quick Heal proactively protects its users from the \u2018.arrow\u2019 variant of Dharma ransomware with its behavior-based and static detection features. \u00a0 \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Fig. 5 Behavior Detection \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Fig. 6 Static detection.   How to stay away from ransomware Use a multi-layered antivirus that can stop real-time threats. Keep your antivirus up-to-date. Update your Operating System regularly as critical patches are released every day. Keep your software up-to-date. Never directly connect remote systems to the Internet. Do not click on links or download attachments in emails received from unknown sources. Take regular data backup and keep it in a secure location.   Indicator of Compromise MD5: – d07bc4924a0b84f4f36871b47eed0593 \u00a0 Subject matter experts Priyanka Dhasade, Shalaka Patil, Shashikala Halagond | Quick Heal Security Labs \u00a0 \u00a0 \u00a0 \u00a0 The post Dharma ransomware resurfaces with a new variant appeared first on Quick Heal Technologies Security Blog | Latest computer security news, tips, and advice.
http:\/\/blogs.quickheal.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: Shriram Munde| Date: Mon, 16 Apr 2018 06:43:19 +0000<\/strong><\/p>\n

A new variant of the Dharma ransomware (\u2018.arrow\u2019) has been observed in the wild. This variant appends the extension \u2018.arrow\u2019 to the files it encrypts and spreads via spam emails.   How Dharma encrypts its victim\u2019s files Once executed, the \u2018.arrow\u2019 variant of Dharma uses the below command to disable…<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10459,10378],"tags":[666],"class_list":["post-12014","post","type-post","status-publish","format-standard","hentry","category-quickheal","category-security","tag-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12014","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=12014"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/12014\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=12014"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=12014"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=12014"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}