According to ZDNet, the source code for Dharma has been posted for sale on two forums for just $2,000. Considering how much money criminals have extorted using Dharma, this represents a very low price for the source code. From November 2016 to November 2019 the group made more than $24 million and new variants are still being found in the wild today. Security researchers have not found any flaws in Dharma’s encryption implementation that would allow victims to decrypt data without paying the ransom.
Originally getting its start in 2016 under the name “CrySiS,” the group rebranded their ransomware as “Dharma” after master decryption keys were leaked. Dharma is considered to be a Ransomware-as-a-Service (RaaS) because it enables criminals who purchase access to the service to easily customize and deploy the ransomware for their own operations, even if they lack the technical skill to create ransomware on their own. As targeted attacks against larger businesses began to rise, a new variant going by the name of “Phobos” appeared that was used for the targeted attacks.