Security researchers JAMESWT, TG soft and reecdeep have found new malicious spam (malspam) email campaign delivering ransomware that is currently targeting Italian Windows users. The Dharma ransomware is a variant of another ransomware family called Crysis. Dharma has been active for several years, but the new development is that it is distributed through malspam emails instead of the traditional delivery method using hacked remote desktop services. This malspam campaign has also delivered the Ursnif keylogger. They are delivered through emails that claim to be an invoice from a third-party company and contain a link to a ZIP file hosted on Microsoft OneDrive (onedrive.live.com). The ZIP file contains a JPEG image file and a Visual Basic Script (VBS) file. If the recipient double-clicks the VBS file to run it, the script attempts to download data from one of several malicious websites listed in the IOC section below. If the download is successful, the malware will be installed.
Indications of Compromise (IOCs):