grandeduc - Fotolia

Q
Problem solve Get help with specific problems with your technologies, process and projects.

How does the new Dharma Ransomware variant work?

Brrr ransomware, a Dharma variant, was found adding malicious extensions to encrypted files. Discover how this is possible and how this attack can be mitigated with Judith Myerson.

Brrr, a new Dharma Ransomware variant, appends malicious extensions to encrypted files. How does this variant work? How can users protect themselves?

Dharma Ransomware is a cryptovirus that encrypts user files and demands a ransom in exchange for a decryption key. The malware is manually delivered by attackers who exploit Remote Desktop Protocol (RDP) services via TCP port 3389 and brute force the password to gain access to a computer.

AES is used to encrypt files on unprotected mapped network drives, shared virtual machine host drives and unmapped network shares. With the Dharma Ransomware attack, a ransom note is added to encrypted text files, such as FILES ENCRYPTED.txt or Info.hta, and a contact email address is included to relay payment instructions.

At least 15 variants of the Dharma Ransomware have been released since 2016, with the latest versions including an email address to contact attackers, as well as file extensions attached to encrypted files. While payment instructions differ with each variant, the Brrr ransomware variant -- which was detected in September 2018 -- encrypts a file, like abc.doc, and appends the extension .brrr; for example, abc.doc.id-BCBEF350.[paydecryption@qq.com].brrr.

Another Dharma Ransomware variant, Dharma-Btc, surfaced in late 2016 and provided victims with instructions on how to make payments with bitcoin. This variant appends .btc to the file extension, as well as the encryption identification and email contact address, similar to the Brrr variant.

A week after the Brrr ransomware was found, Gamma ransomware was detected. This variant can test decryption and offers instructions on how to create a cryptocurrency wallet. Other variants include file extensions appended with .wallet, .zzzzz, .combo, .bkp and .onion.

The number one defense against Dharma Ransomware is removing support for RDP, which is considered unsafe for most uses. Other methods to defend against Dharma Ransomware include backing up important files and moving computers that must run RDP behind VPNs.

Users can also use attachment scanning, ignore suspicious attachments and use different passwords for different sites. Likewise, free decryptor tools are available for some variants; however, these tools need to be scanned for vulnerabilities.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

This was last published in December 2018

Dig Deeper on Emerging cyberattacks and threats

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What does the Brrr ransomware variant mean for the future of ransomware variants?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close