True North Networks Blog
This ransomware sneakily infects victims by disguising itself with anti-virus software
A successful family of ransomware which has been terrorising organisations around the world has been updated with a new trick to lure victims into installing file-locking malware: posing as anti-virus software.
Dharma first emerged in 2016 and the ransomware has been responsible for a number of high-profile cyber incidents, including the takedown of a hospital network in Texas late last year.
The group behind Dharma regularly look to update their campaigns in order to ensure the attacks remain effective and they have the best chance of extorting ransom payments in exchange of decrypting locked networks and files of Windows systems.
Now the cyber attacks have evolved again and cyber security researchers at Trend Microhave detailed a new means of the Dharma being deployed: by bundling it inside a fake anti-virus software installation.
Like many ransomware campaigns, Dharma attacks start off with phishing emails. The messages claim to be from Microsoft and that the victim's Windows PC is 'at risk' and 'corrupted' following 'unusual behaviour', urging the user to 'update and verify' their anti-virus by accessing a download link.
If the user follows through, the ransomware retrieves two downloads: the Dharma ransomware payload and an old version of anti-virus software from cyber security company ESET.
When the self-extracting archive runs, Dharma begins encrypting files in the back round while the user is asked to follow installation instructions for ESET AV remover – the interface is displayed on their desktop and requires user interaction during the installation process, acting as a distraction from the malicious activity.
Once the installation is complete, the victim will find themselves confronted with a ransom note, demanding a cryptocurrency payment in exchange for unlocking the files.
"The article describes the well-known practice for malware to be bundled with legitimate application(s). In the specific case Trend Micro is documenting, an official and unmodified ESET AV Remover was used. However, any other application could be used this way," said an ESET statement, after being informed about the research by Trend Micro.
While not as high-profile as it was during the height of attacks like WannaCry and NotPetyain 2017, ransomware still remains a threat to organisations as attackers continue to develop and deploy new tactics and variants of the file-locking malware.
"As proven by the new samples of Dharma, many malicious actors are still trying to upgrade old threats and use new techniques. Ransomware remains a costly and versatile threat," said Raphael Centeno, security researcher at Trend Micro.
To avoid falling victim to Dharma and similar threats, researchers recommend that organisations adopt good cybersecurity hygiene such as securing email gateways, regularly backing up files and to keep systems and applications patched and updated.