What is mrB Ransomware?

As I’ve described in the introduction, mrB is a sample of Dharma ransomware, a malware family active since 2016. It is known for adding a long extension to every file it encrypts; it consists of the victim ID, contact email and the extension itself. At the end, the encrypted file name starts looking like this:

Media1.mp3 → Media1.mp3.id-C3B22A85.[mirror-broken@tuta[.]io].mrB

MrB ransomware encrypts a wide range of file formats, from images and documents to files of some specific software suites. After finishing the encryption, it opens a pop-up ransom note in a form of HTA file, and also spawns a readme text file. The latter appears in every folder that contains the encrypted files. Below, you can see the contents of both ransom notes.

Contents of the readme text file:

Your data has been stolen and encrypted!

email us

mirror-broken@tuta[.]io

How to Recover Encrypted Files?

Unfortunately, there are no recovery options available for mrB ransomware. The imperfections in its early Dharma samples were used to make the decryptor, though the flaws were fixed, and it is not effective nowadays. Options you can find online, like “professional hackers” or file recovery services will at best act as a medium between you and the hackers. At worst, they will take your money and disappear.

The most effective option for file recovery is a decryptor tool, dedicated to the specific ransomware family. Those are usually released when a vulnerability in the encryption mechanism is found, or when ransomware servers are seized. It may sound like it is unlikely to happen, but there were 4 such decryptors released in the first months of 2024. Be patient, do not lose hope – and you get the files back.

For now, your best option in mrB ransomware file recovery is to seek for the possible backups. Social networks and email messages may act as ones – we usually ignore them for this purpose. Places like removable drives, NAS, or even your smartphone, where you could accidentally copy the files to, may keep unencrypted files. Even an older version of the file is better than nothing.

How to Remove mrB Ransomware?

One more important thing, that you should do before getting to any file recovery operations, is ransomware removal. Viruses like mrB ransomware do not cease to exist once the encryption is over. They keep idling in the background, waiting for new unencrypted files to appear. Therehence, it is essential to get rid of the infection before you can start further actions.

For ransomware removal, I’d recommend GridinSoft Anti-Malware. Effective and easy-to-use, this program will easily repel this malware and fix all the damage it dealt to the system. Just run a Full scan, wait until it finishes, and remove all the detected things. Further, with its proactive protection, you will never get infected with ransomware again.

The post MrB Ransomware (.mrB Files) – Analysis & File Decryption appeared first on Gridinsoft Blog.

What is SYSDF Ransomware?

SYSDF ransomware is a yet another example of Dharma ransomware, a malware family active since 2016. First detected on February 16, it appends its unique SYSDF extension to the files, along with the complex mask with the attack information. The latter includes victim ID and the contact email the victim is supposed to reach the hackers on. Following the encryption, the files start looking like the following:

Image1.png → Image1.png.id-C3B22A85.[Dec24hepl@aol.com].SYSDF

Upon finishing the encryption, malware creates its specific README!.txt files in each folder that includes encrypted files, and also on the desktop. Additionally, malware spawns and opens a file named info.hta, so it acts as notification for a victim. Below, you can see the messages from both ransom notes.

Text in the README!.txt ransom note:

Your data has been stolen and encrypted!

email us

Dec24hepl@aol.com or Dec24hepl@cyberfear.com

How to Recover .SYSDF Files?

Unfortunately, there are no options for Dharma ransomware decryption available at the moment. The majority of file recovery services of “certified hackers” you can meet online will in fact only arrange negotiations with cybercriminals. Paying them is not a great idea, as this motivates them to continue the attacks. Losing the files is unpleasant, that is for sure, but as statistics shows, there are quite a few opportunities to get them back.

Try searching for backups or file duplicates, stored away from the affected system or network. Even a past version of the file is better than nothing at all. Aside from the backups, there is quite a hope on ransomware decryptors that exploit vulnerabilities in the encryption mechanism and allow you to get the files back for free. For January and February 2024, 4 decryptors for different ransomware families were published. Patience is key here, and considering the latest trends, this becomes a more and more popular option.

How to Remove Ransomware?

But before you do any file recovery operations, it is important to remove the malware beforehand. It did not disappear after finishing the encryption: SYSDF is still active, seeking for the new files to cipher. And be sure, it will do this as soon as you get a fresh unencrypted file to the disk.

For ransomware removal, I’d recommend GridinSoft Anti-Malware. Its advanced detection techniques along with live database updates allow it to detect even the most recent malware samples. Run a Full scan, wait until it is over, remove the detected stuff – and your system will be ready to any further actions, free of malware.

The post SYSDF Ransomware (.SYSDF Files) – Malware Analysis & Removal appeared first on Gridinsoft Blog.

Dharma Ransomware Actors Detained in Ukraine

In the statement on the official website, Europol claimed searches in 30 properties in 4 cities in Ukraine, namely Kyiv, Cherkasy, Vinnytsia and Rivne. During the action, law enforcement detained the key person of the malware group, and some other actors. Searches also resulted in seizing a huge amount of data related to the criminal activity.

Detained persons are charged with compromising corporate networks in more than 70 countries around the globe and cryptocurrency laundering. Using malicious phishing, vulnerability exploitation and tactics the like, hackers were penetrating the networks. Further, they were using other tools to expand their presence in the environment and launch the ransomware attack. Overall, cybercriminals encrypted over 250 servers of different companies, which resulted in multi-million euro losses.

Europol has proven the relationship of the suspects to Dharma and Hive (which is defunct at the moment) ransomware groups. Investigation also shows that hackers are as well related to the spread of MegaCortex and LockerGoga ransomware back in late 2019. Dharma is the most active among the named ransomware, which is still an outsider of the modern threat landscape.

This operation accomplishes the list of anti-cybercrime actions that take place in Ukraine. Back in 2021, key criminals who standed behind Emotet malware were detained. Another operation that year led to the imprisonment of several cybercriminals related to the same Dharma gang. And even now, amidst the war course, local law enforcement are able to effectively cooperate with international agencies and combat cybercrime.

Europol Detains Group Members – But Why?

As usual, physical detainment of cybercriminals took quite some time, and required a team of investigators to perform property searches. This apparently became a redundant practice over the last time, as law enforcement tends to combat cybercrime in a different way.

The “Duck Hunt” operation, performed by the FBI in summer 2023, took place exclusively in the cloud. Law enforcement managed to detect and seize the entire network of tier 2 command servers of QakBot and managed to delete the malware from infected devices. Same story happened to the IPStorm botnet: the FBI beheaded the network of infected systems by seizing the command server and detaining its creator.

Is this practice effective? Yes, as it disrupts the malware operations, and makes it impossible for hackers to move on. At the same time though hackers remain free, and nothing stops them from joining other cybercrime groups. While decreasing the activity for a short period of time, this approach does not make a lot of difference in the long run.

The post Dharma Ransomware Criminals Captured in Ukraine, Europol Reports appeared first on Gridinsoft Blog.

Researchers believe Tycoon was used for targeted and very rare attacks, in favor of this theory says number of victims and applied delivery mechanism. Thus, the ransomware was clearly intended to attack small and medium-sized enterprises, as well as educational institutions and software developers.

“The use of Java and JIMAGE are unique. Java is very rarely used to write malware for endpoints, since Java Runtime Environment is required to execute the code. Image files are also rarely used for malware attacks”, — say BlackBerry experts.

In this case, the attack begins quite normally: the initial compromise is carried out through unsafe RDP servers that are “visible” from the Internet. However, the investigation showed that the attackers then use Image File Execution Options (IFEO) injection to ensure a stable presence in the system, launch a backdoor along with the Microsoft Windows On-Screen Keyboard (OSK), and disable anti-virus products using ProcessHacker.

Having gained a foothold in the company’s network, attackers launch a ransomware module in Java that encrypts all file servers connected to the network, including backup systems.

The encryptor itself is deployed from a ZIP archive containing a malicious Java Runtime Environment (JRE) assembly and a compiled JIMAGE image. This file format is typically used to store custom JRE images and is used by the Java Virtual Machine. Researchers note that this file format, first introduced along with Java 9, is poorly documented and developers overall rarely use it.

It is also noted that Tycoon deletes the source files after encryption, and overwrites them to accurately prevent information recovery. For this task is used the standard Windows utility cipher.ex. In addition, during encryption, the malware skips parts of large files to speed up the process, which leads to damage of these files and inability to use them.

In addition, each file is encrypted using a new AES key. The ransomware uses the asymmetric RSA algorithm to encrypt the generated AES keys, that is, to decrypt the information, a private attacker RSA key is required.

“However, one of the victims who asked for help on the Bleeping Computer forum published an RSA private key, allegedly obtained from the decryptor, which the victim acquired from the attackers. This key worked successfully to decrypt some files affected by the earliest version of Tycoon ransomware, which added the .redrum extension to encrypted files”, — write the experts, but warn that, unfortunately, for encrypted files with the .grinch and .thanos extensions, this tactics no longer work.

The researchers also identified a possible link between Tycoon and the Dharma/CrySIS ransomware, which, for example, also spread through infected pdf files. Their theory is based on the coincidence of email addresses, the similarity of texts from notes with a ransom demand, as well as the coincidence in the names that are assigned to encrypted files.

Interestingly that MyKingz botnet uses not exotic picture formats, but, for example, Taylor Swift to infect target machines.

The post Tycoon ransomware uses exotic JIMAGE format to avoid detection appeared first on Gridinsoft Blog.

Let me remind you that this year the FBI called Dharma the second most profitable ransomware in recent years during its report at the conference and RSA. Therefore, from November 2016 to November 2019, ransomware operators received $24 million in ransom from their victims.

The most dangerous ransomware last year, I recall, was called Emotet.

“The current sale of the Dharma code is likely to soon result in a leak to the public. That is, the malware will become available to a wider audience. This, in turn, will lead to a wide distribution of source code among many hack groups, and this will ultimately be followed by a surge of attacks”, – ZDNet quotes an unnamed information security expert.

However, the head of the cyber intelligence department at McAfee told ZDNet that the Dharma code has been circulating among hackers for a long time, and now it just arrived on public forums.

At the same time, the expert expressed the hope that sooner or later the source code will fall into the hands of information security specialists, and this will help to identify the shortcomings of the malware and create decoders.

“Dharma existed since 2016, and the ransomware underlying this malware was originally called CrySiS. It worked on the Ransomware-as-a-Service (RaaS) scheme, that is, other criminals could create their versions of malware to distribute, usually through spam campaigns, exploit kits, or RDP brute force”, – noted ZDNet reporters.

At the end of 2016, a user with the nickname crss7777 posted on the Bleeping Computer forums a link to Pastebin containing master keys from the CrySiS encryptor, which, as experts later established, were genuine. After that, CrySiS ceased to exist, “reborn” as Dharma.

Although Dharma keys suffered the same fate in 2017, this time the ransomware operators did not rebrand and continued to work, eventually turning their RaaS into one of the most popular ransomware on the market.

“So, in recent years, Dharma regularly receives updates. For example, in 2018 and 2019, the criminal underground adapted to new trends and moved from the mass distribution of ransomware through mail spam to targeted attacks on corporate networks. So did the Dharma operators”, – says the ZDNet publication.

It is noted that in the spring of 2019, a new strain of Phobos ransomware appeared on the network, used mainly for targeted attacks. Researchers at Coveware and Malwarebytes have noted that it is almost identical to Dharma. However, at the same time, Dharma did not stop existing and continued to work in parallel with Phobos. For example, Avast experts noticed three new versions of Dharma last week.

The post Dharma ransomware source code put for sale appeared first on Gridinsoft Blog.