Threat Watch

Unskilled Iranian Hackers Behind Recent Dharma Ransomware Attacks

Originally reported by ZDNet, the cyber security firm Group-IB has identified a group of low-skilled hackers launching attacks against companies using a Dharma ransomware variant for file encryption. In the report published by Group-IB, researchers advised that the attacks have targeted companies located in Russia, Japan, China, and India. These attackers have used many different open-source or otherwise free reconnaissance tools. These tools include:

  • Masscan
  • NLBrute
  • Advanced Port Scanner
  • Defender Control
  • Your Uninstaller

These attackers have been using Remote Desktop Protocol (RDP) exposed to the Internet as an initial access point and running ransom schemes ranging from 1 to 5 bitcoins in ransom payment, which is approximately equivalent to between $11,000 and $58,000 USD at the time this was written. This ensures that the hackers are getting paid, but also helping them fly under the radar because their demands are much lower than those of so-called “big game” ransomware teams, which typically extort companies for millions of dollars.

ANALYST NOTES

The number one protective defense against this group is to secure remote desktop access behind a corporate VPN that requires strong two-factor authentication. As these attackers are less skilled, their reconnaissance stage is typically much noisier than more skilled attackers. Because of this, Binary Defense recommends a defense-in-depth security strategy that combines the use of 24/7 SOC monitoring, such as Binary Defense’s Security Operations Task Force with the use of backups adhering to the 3-2-1 backup rule, along with proper log collection in order to identify and remedy attacks like these before they can escalate to ransomware and damages.

Source:
https://www.zdnet.com/article/group-of-unskilled-iranian-hackers-behind-recent-attacks-with-dharma-ransomware/