Dharma Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/dharma/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Thu, 22 Feb 2024 09:02:39 +0000 en-US hourly 1 https://wordpress.org/?v=99434 200474804 MrB Ransomware (.mrB Files) – Analysis & File Decryption https://gridinsoft.com/blogs/mrb-ransomware/ https://gridinsoft.com/blogs/mrb-ransomware/#respond Wed, 21 Feb 2024 23:10:26 +0000 https://gridinsoft.com/blogs/?p=19875 MrB ransomware is a new Dharma ransomware sample, discovered on February 21, 2024. It is distinctive for applying a complex extension to the encrypted files that ends up with “.mrB”. This ransomware primarily attacks small corporations and asks the ransom only for decrypting the files, i.e. it does not practice double extortion. Jakub Kroustek was… Continue reading MrB Ransomware (.mrB Files) – Analysis & File Decryption

The post MrB Ransomware (.mrB Files) – Analysis & File Decryption appeared first on Gridinsoft Blog.

]]>
MrB ransomware is a new Dharma ransomware sample, discovered on February 21, 2024. It is distinctive for applying a complex extension to the encrypted files that ends up with “.mrB”. This ransomware primarily attacks small corporations and asks the ransom only for decrypting the files, i.e. it does not practice double extortion. Jakub Kroustek was the first to discover and report this ransomware sample.

What is mrB Ransomware?

As I’ve described in the introduction, mrB is a sample of Dharma ransomware, a malware family active since 2016. It is known for adding a long extension to every file it encrypts; it consists of the victim ID, contact email and the extension itself. At the end, the encrypted file name starts looking like this:

Media1.mp3 → Media1.mp3.id-C3B22A85.[mirror-broken@tuta[.]io].mrB

mrB ransomware files
Files encrypted by mrB ransomware

MrB ransomware encrypts a wide range of file formats, from images and documents to files of some specific software suites. After finishing the encryption, it opens a pop-up ransom note in a form of HTA file, and also spawns a readme text file. The latter appears in every folder that contains the encrypted files. Below, you can see the contents of both ransom notes.

MrB ransomware note

Contents of the readme text file:

Your data has been stolen and encrypted!

email us

mirror-broken@tuta[.]io

How to Recover Encrypted Files?

Unfortunately, there are no recovery options available for mrB ransomware. The imperfections in its early Dharma samples were used to make the decryptor, though the flaws were fixed, and it is not effective nowadays. Options you can find online, like “professional hackers” or file recovery services will at best act as a medium between you and the hackers. At worst, they will take your money and disappear.

The most effective option for file recovery is a decryptor tool, dedicated to the specific ransomware family. Those are usually released when a vulnerability in the encryption mechanism is found, or when ransomware servers are seized. It may sound like it is unlikely to happen, but there were 4 such decryptors released in the first months of 2024. Be patient, do not lose hope – and you get the files back.

File recovery options

For now, your best option in mrB ransomware file recovery is to seek for the possible backups. Social networks and email messages may act as ones – we usually ignore them for this purpose. Places like removable drives, NAS, or even your smartphone, where you could accidentally copy the files to, may keep unencrypted files. Even an older version of the file is better than nothing.

How to Remove mrB Ransomware?

One more important thing, that you should do before getting to any file recovery operations, is ransomware removal. Viruses like mrB ransomware do not cease to exist once the encryption is over. They keep idling in the background, waiting for new unencrypted files to appear. Therehence, it is essential to get rid of the infection before you can start further actions.

For ransomware removal, I’d recommend GridinSoft Anti-Malware. Effective and easy-to-use, this program will easily repel this malware and fix all the damage it dealt to the system. Just run a Full scan, wait until it finishes, and remove all the detected things. Further, with its proactive protection, you will never get infected with ransomware again.

MrB Ransomware (.mrB Files) – Analysis & File Decryption

The post MrB Ransomware (.mrB Files) – Analysis & File Decryption appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/mrb-ransomware/feed/ 0 19875
SYSDF Ransomware (.SYSDF Files) – Malware Analysis & Removal https://gridinsoft.com/blogs/sysdf-ransomware/ https://gridinsoft.com/blogs/sysdf-ransomware/#respond Sat, 17 Feb 2024 09:15:18 +0000 https://gridinsoft.com/blogs/?p=19722 SYSDF is a ransomware-type program that belongs to the Dharma malware family. Such malicious software aims mainly at small companies, aiming at file encryption with further requests for ransom payment for their decryption. It was originally discovered by Jakub Kroustek on February 16, 2024. What is SYSDF Ransomware? SYSDF ransomware is a yet another example… Continue reading SYSDF Ransomware (.SYSDF Files) – Malware Analysis & Removal

The post SYSDF Ransomware (.SYSDF Files) – Malware Analysis & Removal appeared first on Gridinsoft Blog.

]]>
SYSDF is a ransomware-type program that belongs to the Dharma malware family. Such malicious software aims mainly at small companies, aiming at file encryption with further requests for ransom payment for their decryption. It was originally discovered by Jakub Kroustek on February 16, 2024.

What is SYSDF Ransomware?

SYSDF ransomware is a yet another example of Dharma ransomware, a malware family active since 2016. First detected on February 16, it appends its unique SYSDF extension to the files, along with the complex mask with the attack information. The latter includes victim ID and the contact email the victim is supposed to reach the hackers on. Following the encryption, the files start looking like the following:

Image1.png → Image1.png.id-C3B22A85.[Dec24hepl@aol.com].SYSDF

Upon finishing the encryption, malware creates its specific README!.txt files in each folder that includes encrypted files, and also on the desktop. Additionally, malware spawns and opens a file named info.hta, so it acts as notification for a victim. Below, you can see the messages from both ransom notes.

Sysdf ransomware note

Text in the README!.txt ransom note:

Your data has been stolen and encrypted!

email us

Dec24hepl@aol.com or Dec24hepl@cyberfear.com

How to Recover .SYSDF Files?

Unfortunately, there are no options for Dharma ransomware decryption available at the moment. The majority of file recovery services of “certified hackers” you can meet online will in fact only arrange negotiations with cybercriminals. Paying them is not a great idea, as this motivates them to continue the attacks. Losing the files is unpleasant, that is for sure, but as statistics shows, there are quite a few opportunities to get them back.

File recovery options

Try searching for backups or file duplicates, stored away from the affected system or network. Even a past version of the file is better than nothing at all. Aside from the backups, there is quite a hope on ransomware decryptors that exploit vulnerabilities in the encryption mechanism and allow you to get the files back for free. For January and February 2024, 4 decryptors for different ransomware families were published. Patience is key here, and considering the latest trends, this becomes a more and more popular option.

How to Remove Ransomware?

But before you do any file recovery operations, it is important to remove the malware beforehand. It did not disappear after finishing the encryption: SYSDF is still active, seeking for the new files to cipher. And be sure, it will do this as soon as you get a fresh unencrypted file to the disk.

For ransomware removal, I’d recommend GridinSoft Anti-Malware. Its advanced detection techniques along with live database updates allow it to detect even the most recent malware samples. Run a Full scan, wait until it is over, remove the detected stuff – and your system will be ready to any further actions, free of malware.

SYSDF Ransomware (.SYSDF Files) – Malware Analysis & Removal

The post SYSDF Ransomware (.SYSDF Files) – Malware Analysis & Removal appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/sysdf-ransomware/feed/ 0 19722
Dharma Ransomware Criminals Captured in Ukraine, Europol Reports https://gridinsoft.com/blogs/dharma-ransomware-captured/ https://gridinsoft.com/blogs/dharma-ransomware-captured/#respond Tue, 28 Nov 2023 14:18:54 +0000 https://gridinsoft.com/blogs/?p=17992 On November 28, 2023, Europol claimed successful detainment of ransomware operators, particularly related to Dharma and Hive ransomware. The operation took place in 4 Ukrainian cities, and is most likely a continuation of a similar operation from 2021. Dharma Ransomware Actors Detained in Ukraine In the statement on the official website, Europol claimed searches in… Continue reading Dharma Ransomware Criminals Captured in Ukraine, Europol Reports

The post Dharma Ransomware Criminals Captured in Ukraine, Europol Reports appeared first on Gridinsoft Blog.

]]>
On November 28, 2023, Europol claimed successful detainment of ransomware operators, particularly related to Dharma and Hive ransomware. The operation took place in 4 Ukrainian cities, and is most likely a continuation of a similar operation from 2021.

Dharma Ransomware Actors Detained in Ukraine

In the statement on the official website, Europol claimed searches in 30 properties in 4 cities in Ukraine, namely Kyiv, Cherkasy, Vinnytsia and Rivne. During the action, law enforcement detained the key person of the malware group, and some other actors. Searches also resulted in seizing a huge amount of data related to the criminal activity.

Europol Dharma ransomware
Ukrainian Cyberpolice during the searches

Detained persons are charged with compromising corporate networks in more than 70 countries around the globe and cryptocurrency laundering. Using malicious phishing, vulnerability exploitation and tactics the like, hackers were penetrating the networks. Further, they were using other tools to expand their presence in the environment and launch the ransomware attack. Overall, cybercriminals encrypted over 250 servers of different companies, which resulted in multi-million euro losses.

Europol has proven the relationship of the suspects to Dharma and Hive (which is defunct at the moment) ransomware groups. Investigation also shows that hackers are as well related to the spread of MegaCortex and LockerGoga ransomware back in late 2019. Dharma is the most active among the named ransomware, which is still an outsider of the modern threat landscape.

This operation accomplishes the list of anti-cybercrime actions that take place in Ukraine. Back in 2021, key criminals who standed behind Emotet malware were detained. Another operation that year led to the imprisonment of several cybercriminals related to the same Dharma gang. And even now, amidst the war course, local law enforcement are able to effectively cooperate with international agencies and combat cybercrime.

Europol Detains Group Members – But Why?

As usual, physical detainment of cybercriminals took quite some time, and required a team of investigators to perform property searches. This apparently became a redundant practice over the last time, as law enforcement tends to combat cybercrime in a different way.

The “Duck Hunt” operation, performed by the FBI in summer 2023, took place exclusively in the cloud. Law enforcement managed to detect and seize the entire network of tier 2 command servers of QakBot and managed to delete the malware from infected devices. Same story happened to the IPStorm botnet: the FBI beheaded the network of infected systems by seizing the command server and detaining its creator.

Is this practice effective? Yes, as it disrupts the malware operations, and makes it impossible for hackers to move on. At the same time though hackers remain free, and nothing stops them from joining other cybercrime groups. While decreasing the activity for a short period of time, this approach does not make a lot of difference in the long run.

Dharma Ransomware Criminals Captured in Ukraine, Europol Reports

The post Dharma Ransomware Criminals Captured in Ukraine, Europol Reports appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/dharma-ransomware-captured/feed/ 0 17992
Tycoon ransomware uses exotic JIMAGE format to avoid detection https://gridinsoft.com/blogs/tycoon-ransomware-uses-exotic-jimage-format-to-avoid-detection/ https://gridinsoft.com/blogs/tycoon-ransomware-uses-exotic-jimage-format-to-avoid-detection/#respond Mon, 08 Jun 2020 16:10:37 +0000 https://blog.gridinsoft.com/?p=3898 BlackBerry experts have discovered an unusual multi-platform (for Windows and Linux) ransomware Tycoon. It is written in Java and uses JIMAGE image files to avoid detection. Researchers believe Tycoon was used for targeted and very rare attacks, in favor of this theory says number of victims and applied delivery mechanism. Thus, the ransomware was clearly… Continue reading Tycoon ransomware uses exotic JIMAGE format to avoid detection

The post Tycoon ransomware uses exotic JIMAGE format to avoid detection appeared first on Gridinsoft Blog.

]]>
BlackBerry experts have discovered an unusual multi-platform (for Windows and Linux) ransomware Tycoon. It is written in Java and uses JIMAGE image files to avoid detection.

Researchers believe Tycoon was used for targeted and very rare attacks, in favor of this theory says number of victims and applied delivery mechanism. Thus, the ransomware was clearly intended to attack small and medium-sized enterprises, as well as educational institutions and software developers.

“The use of Java and JIMAGE are unique. Java is very rarely used to write malware for endpoints, since Java Runtime Environment is required to execute the code. Image files are also rarely used for malware attacks”, — say BlackBerry experts.

In this case, the attack begins quite normally: the initial compromise is carried out through unsafe RDP servers that are “visible” from the Internet. However, the investigation showed that the attackers then use Image File Execution Options (IFEO) injection to ensure a stable presence in the system, launch a backdoor along with the Microsoft Windows On-Screen Keyboard (OSK), and disable anti-virus products using ProcessHacker.

Ransomware Tycoon uses JIMAGE

Having gained a foothold in the company’s network, attackers launch a ransomware module in Java that encrypts all file servers connected to the network, including backup systems.

The encryptor itself is deployed from a ZIP archive containing a malicious Java Runtime Environment (JRE) assembly and a compiled JIMAGE image. This file format is typically used to store custom JRE images and is used by the Java Virtual Machine. Researchers note that this file format, first introduced along with Java 9, is poorly documented and developers overall rarely use it.

Ransomware Tycoon uses JIMAGE

It is also noted that Tycoon deletes the source files after encryption, and overwrites them to accurately prevent information recovery. For this task is used the standard Windows utility cipher.ex. In addition, during encryption, the malware skips parts of large files to speed up the process, which leads to damage of these files and inability to use them.

In addition, each file is encrypted using a new AES key. The ransomware uses the asymmetric RSA algorithm to encrypt the generated AES keys, that is, to decrypt the information, a private attacker RSA key is required.

“However, one of the victims who asked for help on the Bleeping Computer forum published an RSA private key, allegedly obtained from the decryptor, which the victim acquired from the attackers. This key worked successfully to decrypt some files affected by the earliest version of Tycoon ransomware, which added the .redrum extension to encrypted files”, — write the experts, but warn that, unfortunately, for encrypted files with the .grinch and .thanos extensions, this tactics no longer work.

The researchers also identified a possible link between Tycoon and the Dharma/CrySIS ransomware, which, for example, also spread through infected pdf files. Their theory is based on the coincidence of email addresses, the similarity of texts from notes with a ransom demand, as well as the coincidence in the names that are assigned to encrypted files.

Interestingly that MyKingz botnet uses not exotic picture formats, but, for example, Taylor Swift to infect target machines.

The post Tycoon ransomware uses exotic JIMAGE format to avoid detection appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/tycoon-ransomware-uses-exotic-jimage-format-to-avoid-detection/feed/ 0 3898
Dharma ransomware source code put for sale https://gridinsoft.com/blogs/dharma-ransomware-source-code-put-for-sale/ https://gridinsoft.com/blogs/dharma-ransomware-source-code-put-for-sale/#respond Mon, 30 Mar 2020 16:40:47 +0000 https://blog.gridinsoft.com/?p=3620 ZDNet reports that the source code for one of the most profitable ransomware of our time, the Dharma ransomware, was put for sale on two hacker forums last weekend. Sources are sold for $2,000. Let me remind you that this year the FBI called Dharma the second most profitable ransomware in recent years during its… Continue reading Dharma ransomware source code put for sale

The post Dharma ransomware source code put for sale appeared first on Gridinsoft Blog.

]]>
ZDNet reports that the source code for one of the most profitable ransomware of our time, the Dharma ransomware, was put for sale on two hacker forums last weekend. Sources are sold for $2,000.

Let me remind you that this year the FBI called Dharma the second most profitable ransomware in recent years during its report at the conference and RSA. Therefore, from November 2016 to November 2019, ransomware operators received $24 million in ransom from their victims.

The most dangerous ransomware last year, I recall, was called Emotet.

“The current sale of the Dharma code is likely to soon result in a leak to the public. That is, the malware will become available to a wider audience. This, in turn, will lead to a wide distribution of source code among many hack groups, and this will ultimately be followed by a surge of attacks”, – ZDNet quotes an unnamed information security expert.

However, the head of the cyber intelligence department at McAfee told ZDNet that the Dharma code has been circulating among hackers for a long time, and now it just arrived on public forums.

Dharma ransomware source code
Dharma ransomware source code for sale

At the same time, the expert expressed the hope that sooner or later the source code will fall into the hands of information security specialists, and this will help to identify the shortcomings of the malware and create decoders.

“Dharma existed since 2016, and the ransomware underlying this malware was originally called CrySiS. It worked on the Ransomware-as-a-Service (RaaS) scheme, that is, other criminals could create their versions of malware to distribute, usually through spam campaigns, exploit kits, or RDP brute force”, – noted ZDNet reporters.

At the end of 2016, a user with the nickname crss7777 posted on the Bleeping Computer forums a link to Pastebin containing master keys from the CrySiS encryptor, which, as experts later established, were genuine. After that, CrySiS ceased to exist, “reborn” as Dharma.

Although Dharma keys suffered the same fate in 2017, this time the ransomware operators did not rebrand and continued to work, eventually turning their RaaS into one of the most popular ransomware on the market.

“So, in recent years, Dharma regularly receives updates. For example, in 2018 and 2019, the criminal underground adapted to new trends and moved from the mass distribution of ransomware through mail spam to targeted attacks on corporate networks. So did the Dharma operators”, – says the ZDNet publication.

It is noted that in the spring of 2019, a new strain of Phobos ransomware appeared on the network, used mainly for targeted attacks. Researchers at Coveware and Malwarebytes have noted that it is almost identical to Dharma. However, at the same time, Dharma did not stop existing and continued to work in parallel with Phobos. For example, Avast experts noticed three new versions of Dharma last week.

The post Dharma ransomware source code put for sale appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/dharma-ransomware-source-code-put-for-sale/feed/ 0 3620