In a recently published analysis by Sophos Labs, researchers have uncovered and detailed the tools typically deployed by affiliates of the Dharma Ransomware-as-a-Service (RaaS) model. This toolkit, which is mapped to a local network drive by an attacker, consists of several commonly used tools (including Mimikatz and webbrowserpassview), customized PowerShell tools, along with stagers for the Dharma ransomware executable. All of these tools are controlled by a menu-driven PowerShell console script known as toolbelt.ps1.
While Sophos was unable to recover some of the customized hacking tools, their analysis details the functionalities of toolbelt.ps1, and the activities that can be expected from it. Binary Defense threat researchers were able to find an interesting dropper for 2sys.ps1, which consisted of a batch script that dropped several individual base64 encoded files masquerading as certificates. By using the Windows system utility certutil to decode and assemble the fake base64 certificates, the Dharma attackers are attempting to evade SOC analysts looking at incoming Intrusion Detection System (IDS) alarms.
As ransomware actors need to profile a network and spread laterally before deploying ransomware, Binary Defense recommends the use of 24/7 SOC solutions, like Binary Defense’s Security Operations Task Force, or an internal security team that is able to monitor 24 hours a day. Additionally, employing a defense in depth strategy using multiple security controls and sensors to detect each stage of an attack, and testing the defense measures in order to find and close any vulnerable holes can help secure against attacks like these.
Color by numbers: inside a Dharma ransomware-as-a-service attack