Skip to main content

Dharma Ransomware Event

Low
Published: Fri Jun 12 2020 (06/12/2020, 00:00:00 UTC)
Source: CIRCL
Vendor/Project: misp-galaxy
Product: malpedia

Description

Dharma Ransomware Event

AI-Powered Analysis

AILast updated: 06/19/2025, 14:18:53 UTC

Technical Analysis

The Dharma ransomware is a malware family known for encrypting victims' data to extort ransom payments. It primarily targets systems through the exploitation of external remote services (MITRE ATT&CK T1133) and the use of valid accounts (T1078), indicating that attackers often gain initial access by compromising legitimate credentials or leveraging exposed remote access protocols such as RDP. Once inside the network, Dharma employs scripting techniques (T1064) to automate its malicious activities, including file and directory discovery (T1083) and network share discovery (T1135), to identify valuable data and propagate across networked systems. The ransomware then encrypts data for impact (T1486), rendering files inaccessible and demanding payment for decryption keys. Despite its impactful behavior, the threat is currently assessed with a low severity rating, possibly due to limited exploitation in the wild or the availability of defensive measures. No patches are available for this ransomware, as it exploits access vectors rather than software vulnerabilities. Indicators of compromise are not provided, which may complicate detection efforts. The attack chain suggests that initial access is often gained through compromised credentials or exposed remote services, followed by lateral movement and encryption activities. The lack of known exploits in the wild and absence of a CVSS score indicate that while the ransomware is a known threat, its current operational impact may be limited or targeted.

Potential Impact

For European organizations, Dharma ransomware poses a significant risk to data confidentiality, integrity, and availability. Successful infection results in widespread encryption of files, potentially crippling business operations, especially in sectors reliant on continuous data access such as manufacturing, healthcare, and finance. The use of valid accounts and external remote services as attack vectors means that organizations with remote access infrastructure or weak credential management are particularly vulnerable. The ransomware’s ability to discover network shares and directories facilitates rapid lateral movement, increasing the scope of impact within an enterprise. Although currently rated as low severity, the operational disruption and potential financial losses from ransom payments, downtime, and recovery efforts can be substantial. Additionally, the lack of patches means organizations must rely on preventive controls and incident response capabilities. The threat also underscores the importance of securing remote access and credential hygiene to prevent initial compromise. Given the ransomware’s persistence and adaptability, European organizations should remain vigilant to prevent potential escalations or variants with higher impact.

Mitigation Recommendations

1. Enforce strong multi-factor authentication (MFA) on all remote access services to mitigate risks associated with compromised valid accounts. 2. Restrict and monitor remote desktop protocol (RDP) and other external remote services by limiting access to trusted IP addresses and using VPNs with strict access controls. 3. Implement robust credential management policies, including regular password changes, use of password managers, and monitoring for credential leaks on dark web sources. 4. Deploy network segmentation to limit lateral movement, ensuring that critical systems and network shares are isolated and access is granted on a least-privilege basis. 5. Utilize endpoint detection and response (EDR) solutions capable of detecting scripting activities and unusual file access patterns indicative of ransomware behavior. 6. Maintain up-to-date offline backups with tested restoration procedures to ensure data recovery without paying ransom. 7. Conduct regular user training focused on phishing and social engineering tactics that may lead to credential compromise. 8. Monitor logs for unusual authentication attempts, especially from external sources, and implement automated alerts for suspicious activities. 9. Disable or limit scripting capabilities where not necessary, or apply application control policies to restrict execution of unauthorized scripts. 10. Establish an incident response plan specifically addressing ransomware scenarios, including containment, eradication, and recovery steps.

Need more detailed analysis?Get Pro

Technical Details

Threat Level
3
Analysis
0
Uuid
5ee3822c-6828-418c-b619-62de950d210f
Original Timestamp
1592742357

Indicators of Compromise

Ip

ValueDescriptionCopy
ip217.138.202.116
rdp actor login source

Yara

ValueDescriptionCopy
yara/* YARA Rule Set Author: DFIR Report Date: 2020-06-12 Identifier: dharma-06-12-20 Reference: https://thedfirreport.com/ */ /* Rule Set ----------------------------------------------------------------- */ import "pe" rule vssadmin_Shadow_bat { meta: description = "dharma-06-12-20 - file Shadow.bat" author = "DFIR Report" reference = "https://thedfirreport.com/" date = "2020-06-12" hash1 = "da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878" strings: $s1 = "vssadmin delete shadows /all" fullword ascii condition: uint16(0) == 0x7376 and filesize < 1KB and all of them } rule Network_Scanner_post_exploit_enumeration { meta: description = "dharma-06-12-20 - file NS.exe" author = "DFIR Report" reference = "https://thedfirreport.com/" date = "2020-06-12" hash1 = "f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446" strings: $s1 = "CreateMutex error: %d" fullword ascii $s2 = "--Error mount \\\\%s\\%s Code: %d" fullword wide $s3 = "-Found share \\\\%s\\%s" fullword wide $s4 = "--Share \\\\%s\\%s successfully mounted" fullword wide $s5 = "host %s is up" fullword ascii $s6 = "Get ip: %s and mask: %s" fullword wide $s7 = "GetAdaptersInfo failed with error: %d" fullword wide $s8 = "# Network scan and mount include chek for unmounted local volumes. #" fullword wide $s9 = "####################################################################" fullword wide /* reversed goodware string '####################################################################' */ $s10 = "Share %s successfully mounted" fullword wide $s11 = "Error mount %s %d" fullword wide $s12 = "Failed to create thread." fullword ascii $s13 = " start scan for shares. " fullword wide $s14 = "# '98' was add for standalone usage! #" fullword wide $s15 = "Error, wrong value." fullword wide $s16 = "QueryDosDeviceW failed with error code %d" fullword wide $s17 = "FindFirstVolumeW failed with error code %d" fullword wide $s18 = "FindNextVolumeW failed with error code %d" fullword wide $s19 = "SetVolumeMountPointW failed with error code %d" fullword wide $s20 = "| + scan local volumes for unmounted drives. |" fullword wide condition: uint16(0) == 0x5a4d and filesize < 400KB and ( pe.imphash() == "0b0d8152ea7241cce613146b80a998fd" or 8 of them ) } rule Dharma_ransomware_1pgp { meta: description = "dharma-06-12-20 - file 1pgp.exe" author = "DFIR Report" reference = "https://thedfirreport.com/" date = "2020-06-12" hash1 = "2f2e75affe9217c7211043936678fb1777e2db4a8f1986b8805ddb1e84e9e99b" strings: $x1 = "C:\\crysis\\Release\\PDB\\payload.pdb" fullword ascii $s2 = "sssssbsss" fullword ascii $s3 = "sssssbs" fullword ascii $s4 = "9c%Q%f" fullword ascii $s5 = "jNYZO\\" fullword ascii $s6 = "RSDS%~m" fullword ascii $s7 = "xy ?*5" fullword ascii $s8 = "<a-g6J" fullword ascii $s9 = "]q)WtH?" fullword ascii $s10 = "s=9uo^" fullword ascii $s11 = "\"iMw\\e" fullword ascii $s12 = "{?nT*}2g" fullword ascii $s13 = "h*UqD*" fullword ascii $s14 = "b,_f n7" fullword ascii $s15 = "+mm7S%I" fullword ascii $s16 = "+L]DAb" fullword ascii $s17 = "nq0<3AD" fullword ascii $s18 = "U2cUbO" fullword ascii $s19 = ";C!|E2z" fullword ascii $s20 = "P)8$X=" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 300KB and ( pe.imphash() == "f86dec4a80961955a89e7ed62046cc0e" or ( 1 of ($x*) or 4 of them ) ) } rule closeapps_bat { meta: description = "dharma-06-12-20 - file closeapps.bat" author = "DFIR Report" reference = "https://thedfirreport.com/" date = "2020-06-12" hash1 = "e25245f98a23596e03e51535beb0f73c000de63e473580c4c26e7b8b01b4e593" strings: $x1 = "taskkill /F /IM MSExchangeTransportLogSearch.exe" fullword ascii $x2 = "taskkill /F /IM Veeam.Backup.Agent.ConfigurationService.exe" fullword ascii $x3 = "taskkill /F /IM MSExchangeTransport.exe" fullword ascii $x4 = "taskkill /F /IM EdgeTransport.exe" fullword ascii $x5 = "taskkill /F /IM Microsoft.Exchange.ServiceHost.exe" fullword ascii $x6 = "taskkill /F /IM Microsoft.Exchange.ProtectedServiceHost.exe" fullword ascii $x7 = "taskkill /F /IM agent.exe" fullword ascii $x8 = "taskkill /F /IM fdhost.exe" fullword ascii $x9 = "taskkill /F /IM MSExchangeThrottling.exe" fullword ascii $x10 = "taskkill /F /IM sqlagentc.exe" fullword ascii $x11 = "taskkill /F /IM Microsoft.Exchange.ContentFilter.Wrapper.exe" fullword ascii $x12 = "taskkill /F /IM Veeam.Backup.CatalogDataService.exe" fullword ascii $x13 = "taskkill /F /IM cbInterface.exe" fullword ascii $x14 = "taskkill /F /IM httpd.exe" fullword ascii $x15 = "taskkill /F /IM VeeamTransportSvc.exe" fullword ascii $x16 = "taskkill /F /IM cbService.exe" fullword ascii $x17 = "taskkill /F /IM Veeam.Backup.BrokerService.exe" fullword ascii $x18 = "taskkill /F /IM wsusservice.exe" fullword ascii $x19 = "taskkill /F /IM pvxcom.exe" fullword ascii $x20 = "taskkill /F /IM Veeam.Backup.MountService.exe" fullword ascii condition: uint16(0) == 0x6c3a and filesize < 10KB and 1 of ($x*) } rule LogDelete_bat { meta: description = "dharma-06-12-20 - file LogDelete.bat" author = "DFIR Report" reference = "https://thedfirreport.com/" date = "2020-06-12" hash1 = "e17ca6c764352c0a74e1e6b80278bb4395588df4bed64833b1b127ea2ca5c5fd" strings: $s1 = "FOR /F \"delims=\" %%I IN ('WEVTUTIL EL') DO (WEVTUTIL CL \"%%I\") " fullword ascii condition: uint16(0) == 0x4f46 and filesize < 1KB and all of them } rule Everything_seach_tool { meta: description = "dharma-06-12-20 - file Everything.exe" author = "DFIR Report" reference = "https://thedfirreport.com/" date = "2020-06-12" hash1 = "35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413" strings: $x1 = "<assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersion=\"1.0\" xmlns:asmv3=\"urn:schemas-microsoft-com:asm.v3\"><a" ascii $s2 = "\" version=\"6.0.0.0\" processorArchitecture=\"*\" publicKeyToken=\"6595b64144ccf1df\" language=\"*\"></assemblyIdentity></depen" ascii $s3 = "http://www.voidtools.com/downloads/" fullword ascii $s4 = "http://www.voidtools.com/downloads/#language" fullword ascii $s5 = "Folder\\shell\\%s\\command" fullword ascii $s6 = "Directory\\background\\shell\\%s\\command" fullword ascii $s7 = "Directory\\Background\\shell\\%s\\command" fullword ascii $s8 = "yIdentity version=\"1.0.0.0\" processorArchitecture=\"*\" name=\"Everything\" type=\"win32\"></assemblyIdentity><description>Eve" ascii $s9 = "; settings stored in %APPDATA%\\Everything\\Everything.ini" fullword ascii $s10 = "Host the pipe server with the security descriptor." fullword ascii $s11 = "http://www.voidtools.com/support/everything/" fullword ascii $s12 = "username:password@host:port" fullword ascii $s13 = "<html><meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\"><meta name=\"viewport\" content=\"width=512\"><head" ascii $s14 = "\\\\.\\PIPE\\Everything Service" fullword ascii $s15 = "Everything Service Debug Log.txt" fullword wide $s16 = "Auto detect will attempt to read file contents with the associated IFilter." fullword ascii $s17 = "processed %I64u / %I64u file records" fullword ascii $s18 = "SERVICE_SERVER_COMMAND_REFS_MONITOR_READ_USN_JOURNAL_DATA read ok %d" fullword ascii $s19 = "Store settings and data in %APPDATA%\\Everything?" fullword ascii $s20 = "http://www.voidtools.com/donate/" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 5000KB and ( pe.imphash() == "e7a8222fca78bde6fe29c9cc10d97ca2" or ( 1 of ($x*) or 4 of them ) ) } /* Super Rules ------------------------------------------------------------- */ rule Everything_search_tool_super { meta: description = "dharma-06-12-20 - from files Everything.exe, Everything.exe" author = "DFIR Report" reference = "https://thedfirreport.com/" date = "2020-06-12" hash1 = "35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413" hash2 = "35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413" strings: $s1 = "-disable-run-as-admin" fullword ascii /* Goodware String - occured 1 times */ $s2 = "type=%s;" fullword ascii /* Goodware String - occured 1 times */ $s3 = "EVERYTHING" fullword ascii /* Goodware String - occured 1 times */ $s4 = "-install-run-on-system-startup" fullword ascii /* Goodware String - occured 2 times */ $s5 = "-uninstall-url-protocol" fullword ascii /* Goodware String - occured 2 times */ $s6 = "-app-data" fullword ascii /* Goodware String - occured 2 times */ $s7 = "-uninstall-service" fullword ascii /* Goodware String - occured 2 times */ $s8 = "-uninstall-efu-association" fullword ascii /* Goodware String - occured 2 times */ condition: ( uint16(0) == 0x5a4d and filesize < 5000KB and pe.imphash() == "e7a8222fca78bde6fe29c9cc10d97ca2" and ( all of them ) ) or ( all of them ) }

Link

ValueDescriptionCopy
linkhttps://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/

Malware sample

ValueDescriptionCopy
malware-sample1pgp.exe|1ebb6bb49ac1077c5e7eba4d56f6a3a1
malware-samplecloseapps.bat|9b0d6df42f879ba969f82c7a0ab48bc6
malware-sampleEverything.exe|8add121fa398ebf83e8b5db8f17b45e0
malware-sampleLogDelete.bat|fb9c610ba195f9b18a96b84c5e755df7
malware-sampleNS.exe|597de376b1f80c06d501415dd973dcec
malware-sampleShadow.bat|df8394082a4e5b362bdcb17390f6676d

File

ValueDescriptionCopy
file1pgp.exe
filecloseapps.bat
fileEverything.exe
fileLogDelete.bat
fileNS.exe
fileShadow.bat

Hash

ValueDescriptionCopy
hash1ebb6bb49ac1077c5e7eba4d56f6a3a1
hash1a37bb789c7bdda44330fd55aa292f5f76dada5d
hash2f2e75affe9217c7211043936678fb1777e2db4a8f1986b8805ddb1e84e9e99b
hash9b0d6df42f879ba969f82c7a0ab48bc6
hashb5d6f94f270a02abedc7484dc7214d15d2cee99e
hashe25245f98a23596e03e51535beb0f73c000de63e473580c4c26e7b8b01b4e593
hash8add121fa398ebf83e8b5db8f17b45e0
hashc8107e5c5e20349a39d32f424668139a36e6cfd0
hash35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413
hashfb9c610ba195f9b18a96b84c5e755df7
hash5e4f2074850cce0eab4d6165807e86c88b5b8c0b
hashe17ca6c764352c0a74e1e6b80278bb4395588df4bed64833b1b127ea2ca5c5fd
hash597de376b1f80c06d501415dd973dcec
hash629c9649ced38fd815124221b80c9d9c59a85e74
hashf47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446
hashdf8394082a4e5b362bdcb17390f6676d
hash5750248ff490ceec03d17ee9811ac70176f46614
hashda3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878

Size in-bytes

ValueDescriptionCopy
size-in-bytes94720
size-in-bytes3611
size-in-bytes1668200
size-in-bytes63
size-in-bytes128000
size-in-bytes28

Text

ValueDescriptionCopy
text%USERPROFILE%\Desktop\Oc\NS.exe

Threat ID: 682c7adce3e6de8ceb7789e8

Added to database: 5/20/2025, 12:51:40 PM

Last enriched: 6/19/2025, 2:18:53 PM

Last updated: 8/17/2025, 3:26:34 PM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats