As if the Covid-19 woes are not enough, small and medium businesses (SMBs), which are trying to find their feet following lifting of the lockdown, are now hit by Dharma Ransomware-as-a-Service (RaaS) attacks.

The main targets of the Dharma RaaS attacks are SMBs, with 85 per cent of attacks seen in 2020 focusing on exposed access tools like Remote Desktop Protocol (RDP), analysed cyber security solutions company Sophos.

With many businesses adapting to the pandemic and accommodating a need for rapid support for remote workers, the risks from these attacks are magnified.

The attack process relies heavily on the abuse of open source tools, as well as freeware versions of commercial tools.

The pandemic has forced almost all of the SMBs to let their staff work from home, exposing the networks vulnerable to attacks.

Dharma RaaS operators appear to package together a number of tools and best practices for their ‘affiliates’ to use once they’ve gotten onto a victim’s network.

These tools aren’t completely automated, as every attack does not follow the same exact steps. However, they do follow something amounting to step-by-step instructions, akin to a telemarketer’s script, allowing some room for improvisation, Sean Gallagher, a Senior Threat Researcher at Sophos, has said.

“One of those tools is a menu-driven PowerShell script that installs and launches the components required to spread ransomware across the network,” he said.

The firm published the report ‘Colour by Numbers: Inside a Dharma Ransomware-as-a-Service (RaaS) Attack’, explaining in detail how the RaaS is exploiting the chinks in SMBs’ armour.

After getting an RDP, which helps a desktop connect to another connection, the attacker maps a directory containing the RaaS toolkit on their local drive as a network drive accessible from the remote desktop. “The contents of this directory include a number of applications previously identified as potentially unwanted applications (such as the Mimikatz password extraction tool), customised hacking tools, and freeware versions of a variety of legitimate system utilities.

“The kit also includes the Dharma ransomware executable, and a collection of PowerShell scripts, most of which we were unable to recover for analysis,” he said.

Dharma, a known ransomware since 2016, is one of the most profitable ransomware families around, due to its mass-market, service-based business model.

“Various versions of its source code have been dumped online or offered for sale; so, many variants of the code now exist,” he said in the report.

“Dharma is fast-food franchise ransomware; widely and easily available to just about anyone,” he pointed out.

“Dharma’s RaaS offerings expand the range of people who can execute devastating ransomware attacks. That’s worrying enough in itself in normal times,” he observed.

Once Dharma customers, known as affiliates, purchase the tools and compromise their target, they rely almost entirely on a menu-driven PowerShell script that installs and launches the components required to spread ransomware across the target’s network.

When the master script is executed, it identifies itself as “Toolbox” and launches the attack with the message, “Have fun, bro!”

Recommendations

The cyber security solutions firm asked the likely targets to shut down Internet-facing RDP to deny cyber criminals access to networks. “If you need access to RDP, keep it behind a VPN (virtual private network) connection,” Sophos says.

“Have a full inventory of all devices connected to your network and always install the latest security updates on all the devices and servers on your network,” it points out.

“It is important to keep regular backups of your most important and current data on an offline storage device,” it says.

comment COMMENT NOW