ChatFortress Dharma Ransomware Recovery Payment and Decryption Statistics


Posted on February 15, 2021 by Benjamin Bressington


ChatFortress Dharma Ransomware Recovery Payment and Decryption Statistics

Dharma Ransomware Recovery, Payment, and Decryption Statistics

The information below describes relevant statistics of Dharma ransomware recovery, payment, and decryption. The recovery process of Dharma ransomware includes identifying the strain and the risk associated with pursuing a ransom payment for data decryption. Please review the information below, or contact our support team at help@ChatFortress.com, to learn more about Dharma ransomware recovery, payment and decryption statistics.

HOW MUCH ARE Dharma RANSOMWARE RANSOM DEMANDS?

Dharma targets mid to large size enterprises and ransom amounts are scaled based on the size of the organization and the perceived capacity to pay. This group is also known to exfiltrate data, which leads to increased demands.

Dharma RANSOMWARE: RANSOM AMOUNTS

Average Dharma Ransom Payment (JQ4 2020)

$13,000

AVERAGE LENGTH OF Dharma INCIDENT

Dharma incidents reflect slightly less than average recovery times. The decryptor is fairly straightforward to use and the decryption rate depends on the complexity of the network.

HOW LONG DOES IT TAKE TO RECOVER FROM A Dharma RANSOMWARE ATTACK?

Dharma ransomware incidents can be burdensome due to the complicated nature of the decryption tool provided by hackers. However, the recovery period is lower than the average since this group targets small networks that can be remediated quickly, as opposed to larger networks.

WHAT DATA RECOVERY RATE IS EXPECTED WHEN PAYING FOR A Dharma RANSOMWARE DECRYPTOR?

Dharma Ransomware has a relatively high success rate after a ransom payment is made. This being despite the logistical complexity of receiving decryption keys and running the decryption tool.

Dharma RANSOMWARE: COMMON ATTACK VECTORS

  • Remote Desktop Protocol
  • Phishing Emails
  • Software / Hardware Vulnerability

HOW DOES DHARMA RANSOMWARE ATTACK A VICTIM?

The majority of Dharma Ransomware attacks can be traced back to Remote Desktop Protocol access as the attack vector. This is due to the prevalence of poorly secured RDP ports, and the ease with which Ransomware distributors are able to either brute force themselves, or purchase credentials on dark market sites. Companies that allow employees or contractors to access their networks through remote access without taking the proper protections are at a grave risk of being attacked by Dharma Ransomware.

HOW TO IDENTIFY DHARMA RANSOMWARE

Dharma Ransomware typically leaves behind a ransom note in 3 different formats; a multicolored Ransom Note, a simple text file ransom note, or no ransom note at all.

DHARMA RANSOMWARE NOTE #1: MULTICOLORED

The standard format and layout of a Dharma Ransomware Ransom Note

Dharma RANSOM NOTE

The most common Dharma Ransom note is multicolored and contains 4 main sections.

Instructions:

At the top of the ransom note, the victim is provided with the news that their data has been encrypted. They are instructed to email the email address provided and to insert their unique ID into the title of the email so that they can be identified by the threat actor.

Free Decryption as Guarantee:

In the next section, the victim is notified that they will be afforded the ability to decrypt a sample file as proof that the threat actor is capable of decrypting files, This is meant to give the victim comfort that if they pay, they will get a working decryption tool

How to Obtain Bitcoins:

In this section the victim is guided on how to procure crypto currency so that the ransom can be paid. There are certain venues that ransomware distributors try to route their victims to. These venues tend to be more lax about KYC and AML during on-boarding, which allows the victims to set up accounts faster. There are also venues that the threat actors will often specifically call out for victims to avoid. This is typically due to extended approval times for new accounts, or speed bumps to withdraw cryptocurrency after it has been purchased.

Attention!

In this section, the threat actor provides some practical advice to the victim meant to help the victim avoid common pitfalls. Interesting, all of these suggestions are accurate and should be heeded by any victim

  • “Do not rename encrypted files” This is practical advice. Renaming files does not remove encryption, and can impact the ability of the files to be successfully decrypted at a later time.
  • “Do not try to decrypt your data using third party software. It may cause permanent data loss.” This is absolutely correct. It is not possible to decrypt recent versions of Dharma with any decryption software. Use of this software can impact file structure and make decryption at a later data impossible. Do not try third party decryption software on Dharma encrypted files. It will damage the files making recovery impossible.
  • “Decryption of you files with the help of third parties may cause increased price (they add their price to our), or you can become the victim of a scam.” This is absolutely true. Dishonest data recovery companies prey on the emotions of ransomware victims in order to charge usurious fees. There are also lots of individual operators that stalk security forums looking for victims to DM and solicit. Beware!
DHARMA RANSOMWARE NOTE: NO RANSOM NOTE AT ALL

In a lot of Dharma Ransomware attacks, the victim does not find any note at all. This could be for a couple of reasons. Sometimes the threat actor forgets to leave one. Sometimes the note is just buried somewhere and not found. In these cases, identifying the ransomware as Dharma, and establishing the contact information of the threat actors is still possible through the file extension.

Because Dharma appends both an ID number and the threat actors email address to every encrypted file, it is possible to identify the ransomware type and threat actor through a single sample encrypted file.

DHARMA RANSOMWARE ENCRYPTED FILE EXTENSIONS

Dharma Ransomware has taken on dozens of variants over the years. Each variant appends a different unique file extension to encrypted files. While the file extension changes, the underlying encryption process, and encryption executable is fundamentally the same. A variant typically signifies that a new group has purchased a Dharma Ransomware kit, and will be uniquely identified by the file extension. This is not always the case, but there are observable differences in the communication patterns and behaviors across variants, suggesting that each variant may be its own unique group of distributors.

COMMON DHARMA RANSOMWARE FILE EXTENSIONS:

There are many different file extensions that signify Dharma Ransomware. Some of the most recent file extensions include:

.BIP .combo .gamma .arrow .betta .vanss .audit .adobe .fire .bear .back .cccmn .tron .like .gdb .myjob .risk .santa .bizer .btc .auf .heets .usa .qwx .xwx .aqva .eth .amber .stuf .ms13 .bk666 .com .qbix .bat .MERS

An encrypted file would follow the below pattern (example of a word document):

filename.doc.id-[alpha-numeric ID #].[hacker@email.com].[dharma variant file extension]

The alpha-numeric ID number is used to identify the system, sort of like an index sticky note the hacker uses to remember the machines that were encrypted.

COMMON DHARMA RANSOMWARE EMAIL ACCOUNTS

Ransomware distributors often change their email accounts for every attack, though some groups keep them consistent. The groups tend to have preferences for the email and VPN service they use. Some use common services like Gmail or AOL, while others use encrypted email services such as ProtonMail or Tutanota.

HOW DHARMA RANSOMWARE IS DISTRIBUTED

The top attack vector for Dharma ransomware is via Remote Desktop Protocol ports or RDP. RDP a port that is commonly used for employees or services providers to access a network remotely. RDP access sidesteps endpoint protection, making lateral proliferation between endpoints, partitioned networks, and backup systems much easier to accomplish.

Attackers can breach RDP via a few different methods:

  • By using port scanning via websites like Shodan and then subsequently brute-forcing RDP sessions until credentials are compromised.
  • Purchasing and using brute-forced credentials for sale on sites like XDedic [since removed by Law Enforcement].
  • Phishing an employee of the company to gain access and control of their machine. Then using that access to elevate that users permission using other credential harvesting malware. This elevated access allows the attacker to move laterally around the network.

There are tens of thousands of corporate RDP credentials available for sale for as little as $3 on dark web marketplaces. The wide availability of hacked RDP credentials is a low-hanging fruit for cybercriminals looking to launch ransomware attacks.

While plenty of large organizations continue to leave this vector unsecured, smaller companies are equally complacent. Most assume they are too small to be targeted and don’t appreciate just how easily targeted they are. Many also lack the resources, people or knowledge of how to properly secure access.

HOW DOES DHARMA RANSOMWARE ENCRYPT FILES

Dharma encrypts files using an AES 256 algorithm. The AES key is also encrypted with an RSA 1024. This encrypted AES key is stored at the end of the encrypted file. The encryption process typically starts with mapped drives before moving onto the root of the OS drive, while also deleting the volume shadow copies.

HOW TO REMOVE DHARMA RANSOMWARE EXECUTABLE FILES

It is strongly recommended that any machine that becomes encrypted be completely reformatted to ensure that both the ransomware executable and, more importantly, any other malware is removed in the process. The ransomware executable is typically easy for anti-virus to find and remove. Malware that assisted in the ransomware arriving on the machine and which can do longer term damage is often harder to detect. Accordingly, a full wipe and replace process should be run on any machine that becomes encrypted with Dharma Ransomware.

FAQs

1. ARE THERE FREE Dharma DECRYPTION TOOLS?

The majority of active Dharma ransomware variants can not be decrypted by any free tool or software. If you submit a file example to us, we will have a look for free and let you know. There are also good free websites that you can upload a sample file to and independently check. You should NOT pay a data recovery firm or any other service provider to research your file encryption. They will use the same free resources noted above… so don’t waste your money or time!

2. HOW DID I GET INFECTED WITH Dharma RANSOMWARE?

Most Dharma ransomware is laid directly by a hacker that has accessed an unprotected RDP port, utilized email phishing to remote into a network via an employee’s computer, or utilized malicious attachments, downloads, application patch exploits or vulnerabilities to gain access to a network.

3. WHAT ARE RECENT Dharma RANSOMWARE FILE EXTENSIONS?

Dharma extensions are randomized. Encrypted files on a given network will have their own unique extension and a readme.txt ransom note will be stored on each host.

4. WHAT DOES A Dharma RANSOM NOTICE LOOK LIKE?

Dharma RANSOM NOTE

The Dharma note is usually named Restore-My-Files.txt. The note itself provides a TOR site used to contact the threat actor. A Non-TOR site is also provided but these sites are usually less secure, so we do not recommend using this option.

WHAT INFORMATION DO I NEED TO PROVIDE?

You will need to provide information from both the ransom notice and a sample encrypted file. We will schedule a call to discuss the severity of the attack, the operability of your company and the likely timeline / cost of recovering from the attack. You will also need to provide identifying information on your company, and an authorized representative of your company.

WHAT ABOUT FIRMS THAT HAVE TOLD ME THEY CAN DECRYPT MY FILES WITHOUT PAYING THE HACKER?

You should be extremely skeptical of any data recovery firm that claims they can decrypt ransomware. Typically they are just paying the cyber criminal without your knowledge and pocketing the difference between the ransom amount and what they will charge you. Know the facts before you engage. If the ransomware IS decryptable, the tool can be found for free. If not, purchasing a key from the cyber criminal is the only way to unlock your files. While ChatFortress does not condone paying cyber criminals, we recognize it is often the only choice if backups are not available or have become compromised as well. If that is the case, you deserve an honest, transparent experience. But paying a ransom demand can expose you to increased civil or criminal liability.

WILL THE RANSOMWARE PAYMENT BE SUCCESSFUL?

There is no guarantee that paying the ransom will result in a working decryption tool being delivered. However, ChatFortress believes that data aggregation can help customers make the most informed data-driven decisions. Since we handle lots of cases of the same ransomware types, we are able to share our experiences and help customers decide how to proceed.

HOW DO I UNLOCK MY FILES?

If the ransomware payment is successful, a decryption tool & key is provided by the hacker that can be used to manually decrypt your files.

HOW DO I PREVENT THIS FROM HAPPENING AGAIN?

There are some common security mis-configurations that lead mt-3 mb-3 to a ransomware attack. We can share some tips and resources for preventing future attacks, but encourage companies to perform a full forensic review or security assessment as soon as possible. Consistent investment in security IT is the best antidote to preventing future attacks. Learn more about the Business Cybersecurity System here.

Are you worried that your company is vulnerable to cybercriminals?

The Business Cybersecurity System protects you against real-world threats while building your cybersecurity culture.

Ben quote statement

Who is ChatFortress

ChatFortress is a leading cybersecurity company that helps small and medium-size companies protect themselves from hacking attempts. Using Cybersecurity AI, Gamified cybersecurity awareness programs and providing virtual security analysts. Our goal is to help you create a cybersecurity aware culture.





Search
Cybersecurity Resources

Talk to Us

Reduce your cybersecurity risk and exposure. Schedule time with your ChatFortress Specialist now
or Call 307-999-7755

commoncybersecuritymistakes
Cybersecurity Education Links

Common Cybersecurity Mistakes and how you can protect yourself and your business from liability and financial loss! Instant Webinar Access!

Schedule Your Free Cybersecurity Risk Assessment Click Here to Schedule Call

Discover current hacker trends to steal your data and how you can protect yourself in 7 day FREE Email Cybersecurity crash course

Here are the 8 common types of email phishing attacks that hackers use to steal your identity. Are you protected?

Protect your business from hackersCrash Coursesmall business cybersecurity protectionHackerssmall business cybersecurity protection8typesofemailphishingscamssmall business cybersecurity protectionCMMC Compliance Check ListCybersecurity For Business