According to ZDNet, the source code for Dharma has been posted for sale on two forums for just $2,000. Considering how much money criminals have extorted using Dharma, this represents a very low price for the source code. From November 2016 to November 2019 the group made more than $24 million and new variants are still being found in the wild today. Security researchers have not found any flaws in Dharma’s encryption implementation that would allow victims to decrypt data without paying the ransom.
Originally getting its start in 2016 under the name “CrySiS,” the group rebranded their ransomware as “Dharma” after master decryption keys were leaked. Dharma is considered to be a Ransomware-as-a-Service (RaaS) because it enables criminals who purchase access to the service to easily customize and deploy the ransomware for their own operations, even if they lack the technical skill to create ransomware on their own. As targeted attacks against larger businesses began to rise, a new variant going by the name of “Phobos” appeared that was used for the targeted attacks.
If the source code for Dharma becomes widely available, it could cause an increase in the number of criminal operators deploying ransomware. Binary Defense analysts have observed ransomware operators compromising corporate networks by guessing passwords to workstations or servers that have Remote Desktop (RDP) exposed to the Internet, or via other malware distributed through phishing. Threat actors make use of passwords compromised in other breaches or stolen through phishing email leading to fake login pages to gain remote access to corporate computers. Always keep anti-virus solutions up-to-date. When deploying security solutions for the enterprise, consider using an EDR (Endpoint Detection and Response) solution side-by-side with anti-virus products. Using an EDR solution or an MDR (Managed Detection and Response) can help spot threats before they spread too far. Analysts at the Binary Defense Security Operations Center detect threats on our clients’ workstations and servers 24-hours a day and respond quickly to contain infections, preventing minor incidents from becoming a source of major damage across the company. Most importantly, make backups! Backups should be created at regular intervals and stored offline. Many ransomware families look for connected USB devices and network drives, so multiple backups should exist in different locations to minimize the chance they could be infected as well.