Brrr, a new Dharma Ransomware variant, appends malicious extensions to encrypted files. How does this variant work?...
How can users protect themselves?
Dharma Ransomware is a cryptovirus that encrypts user files and demands a ransom in exchange for a decryption key. The malware is manually delivered by attackers who exploit Remote Desktop Protocol (RDP) services via TCP port 3389 and brute force the password to gain access to a computer.
AES is used to encrypt files on unprotected mapped network drives, shared virtual machine host drives and unmapped network shares. With the Dharma Ransomware attack, a ransom note is added to encrypted text files, such as FILES ENCRYPTED.txt or Info.hta, and a contact email address is included to relay payment instructions.
At least 15 variants of the Dharma Ransomware have been released since 2016, with the latest versions including an email address to contact attackers, as well as file extensions attached to encrypted files. While payment instructions differ with each variant, the Brrr ransomware variant -- which was detected in September 2018 -- encrypts a file, like abc.doc, and appends the extension .brrr; for example, abc.doc.id-BCBEF350.[firstname.lastname@example.org].brrr.
Another Dharma Ransomware variant, Dharma-Btc, surfaced in late 2016 and provided victims with instructions on how to make payments with bitcoin. This variant appends .btc to the file extension, as well as the encryption identification and email contact address, similar to the Brrr variant.
A week after the Brrr ransomware was found, Gamma ransomware was detected. This variant can test decryption and offers instructions on how to create a cryptocurrency wallet. Other variants include file extensions appended with .wallet, .zzzzz, .combo, .bkp and .onion.
The number one defense against Dharma Ransomware is removing support for RDP, which is considered unsafe for most uses. Other methods to defend against Dharma Ransomware include backing up important files and moving computers that must run RDP behind VPNs.
Users can also use attachment scanning, ignore suspicious attachments and use different passwords for different sites. Likewise, free decryptor tools are available for some variants; however, these tools need to be scanned for vulnerabilities.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Judith Myerson
The TP-Link EAP Controller for Linux was recently found to be vulnerable to attacks. Learn from Judith Myerson what this means for users and how it ... Continue Reading
An Apple vulnerability recently resurfaced and is targeting Apple devices that are connected to public hotspots. Discover what this vulnerability is ... Continue Reading
The use of BGPsec protocols was found after looking into threat actors in China that controlled U.S. internet traffic. Discover how this technique ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.