Dharma is a concept in eastern religions such as Buddhism, Hinduism, and Sikhism that has no direct English language translation. This Sanskrit word can be interpreted as the right way of living or the the path or righteousness and signifies that the universe is in accord with with “cosmic law and order.” But ironically enough, Dharma is also the name of some pretty nasty ransomware that’s shaping up to be pretty  bad karma for your computer. And to most people going about their online lives today, finding a bunch of malware of your device is about the furthest thing from cosmic law and order.

Explain ransomware, please.

As we know, ransomware is one of the most destructive types of malware in cyberspace today. It encrypts your computer files using a key you cannot access. Ransomware compels you with its ransom note to send money to the cybercriminals, usually in the form of cryptocurrency, in order to recover your files. Sometimes paying the ransom works— and sometimes it doesn’t. Sure ransomware has been around for over a decade, but back then the ransom note would usually demand a credit card number instead of cryptocurrency. In the past few years, ransomware has become much, much more common.

These days, ransomware targets popular operating systems like Windows and macOS, and it also targets phones and mobile devices running Android and iOS. Ransomware sometimes even targets the new devices related to The Internet of Things (IoT), such as thermostats, cars, and kitchen appliances with internet access. Ordinary consumers, big corporations, and public institutions alike all face ransomware these days; no group of computer users are sparred. But another key way ransomware has changed is its power to rake in big money for cybercriminals.

Explain dharma, please.

As one of the oldest of all ransomware families still alive today, Dharma’s earliest versions were discovered in 2006. Antivirus developers have released free decryption tools for the earlier versions of Dharma, sometimes known as CrySiS. With a decryption tool, you can liberate your files from the effects of ransomware without having to pay a ransom to cyber attackers. Those old Dharma decryption tools are available through the No More Ransom website, but because antivirus software is able to detect older versions of Dharma, while decryption tools are available for those older versions, cyber attackers have developed newer versions of Dharma that are much harder to prevent and have no decryption tools available so far.

What’s going on with Dharma now?

In May 2018, malware researchers Michael Gillespie and Jakub Kroustek found samples Dharma’s new version. Older versions of Dharma often infected Windows computers through Microsoft’s Remote Desktop Protocol (which should be disabled if you aren’t using it), but the researchers were unsure of how the newer version of Dharma infected PCs. What they did know is that files encrypted with this newer version of Dharma would turn file names like“MyDocument.docx” ino “MyDocument.docx.id-BCBEF350.[Beamsell@qq.com].bip.”

When another operating system is run as an application inside of a host operating system, it’s known as a virtual machine, and sometimes people run them on their Windows computers. For instance, it’s possible to run a macOS or Ubuntu Linux virtual machine in Windows with an application like VMware client or Oracle VirtualBox. Often the simulated disk that a virtual machine uses, a virtual disk, is safe from malware on the host machine. But Dharma can encrypt files on a virtual disk too and can can even delete the shadow volume copies of files that Windows creates just in case there’s a technical problem with your original files. So, there will be no shadow volume copies of your files to recover from—means means this newer version of Dharma is really, really nasty.

How does Dharma work?

The ransom note with this version of Dharma tells their victim to email “Beamsell@qq.com” for payment instructions. Now, as of November 2018, malware researchers David Maciejak and Kenny Yongjian Yang have found an even newer version of Dharma which also uses the “bip” extension on the files it encrypts, and it also uses the “combo” and “gamma” extensions. Software developers can create their own file extension names, and these are some extensions that were invented by the bad guys.

This time researchers are pretty confident that Dharma infects Windows machines through the Remote Desktop Protocol (RDP.) If you’re not using it, that port should always be closed. Microsoft technology is what allows remote access to Windows PCs, and home consumers rarely need it. If RDP must be used in a business environment, work with your security and network staff to secure it as much as possible. Cyber attackers may be getting through RDP using brute force, which happens when a computer program tries as many different passwords as it can as quickly as possible, and the technique often works. Alternatively, attackers could also be buying user authentication credentials through illegal online markets.

When the new version of Dharma infects a Windows computer, it works to encrypt as many files as it can find with an RC4 algorithm and a 128-byte key. When the user reboots their computer, Dharma is designed to start as soon as they log back into Windows to encrypt any new files that are created or otherwise acquired. Next, Dharma uses the Windows command line (cmd.exe) to delete shadow volume copies of files so users can’t easily recover their files from the malware. By the time Dharma gets to the root of your Windows drives, files are encrypted with an implementation of the AES algorithm.

Once Dharma has encrypted as many of your files as possible, a ransom note will appear on the victim’s display that says “All of your files have been encrypted! All of your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the email eadmundcoutts@aol.com.” Well, at least the cyber attacker admits that their ransomware infects “due to a security problem with your PC.”

What can I do?

There are a few things you can do to prevent becoming Dharma’s next victim if you use a Windows PC. As mentioned, either disable RDP or very carefully secure it if it must be used. Disabling RDP can be done by launching “msconfig” through “Run” and looking under both the “Startup” and “Services” tabs. Make sure your Windows PC automatically receives security patches from Microsoft from Windows Update. And finally, make sure that you run antivirus software and that your antivirus software automatically updates and runs scans at least a few times every week.


Admin Management Tools

Share this article

mail envelope

Subscribe to our blog

Stay up to date with the latest marketing, sales and service tips and news.

Worked in a variety of IT roles until cybersecurity captured her intrigue after resolving a multitude of different malware problems for clients. Concurrently with computer technology, she enjoys creative writing and even won a few writing contests as a child. Over the years, these interests have segued into a successful blogging career. She enjoys reading novels and biographies, console gaming, lurking in web forums, alternative fashion and listening to jazz, funk, and goth music.

Post a comment