A new Dharma ransomware variant has been created that is evading detection by most antivirus engines. Heimdal Security has said that his most recent Dharma ransomware variant captured by its researchers was only discovered to b malware by one of the 53 AV engines on VirusTotal.

Dharma ransomware (also referred to as CrySiS) was first spotted in 2006 and is still being developed. 2018 several new Dharma ransomware variants have been made public, each using new file extensions for encrypted files (.bip, .xxxxx, .like, java, .arrow, .gamma, .arena, .betta, and .tron to name but a few). In just the past two months four new Dharma ransomware variants have been discovered.

Those to blame for Dharma ransomware have claimed many victims in recent months. Successful attacks have been made public recently by Altus Baytown Hospital in Texas, the Arran brewery in Scotland, and the port of San Diego.

While free decryptors for Dharma ransomware have been created, the constant evolution of this ransomware threat rapidly makes these decryptors obsolete.  Infection with the latest variants of the ransomware threat only allows victims three options: pay a sizeable ransom to recover files, restore files from backups, or face permanent file deletion.

The latter is not viable given the extent of files that are encrypted. Rescuing files from backups is not always possible as Dharma ransomware can also encrypt backup files and can erase shadow copies. Payment of a ransom should not be completed as there is no guarantee that files can or will be decrypted.

Safeguarding against ransomware attacks requires a combination of policies, procedures, and cybersecurity solutions. Dharma ransomware attacks are mostly carried out via two attack vectors: The exploitation of Remote Desktop protocol (RDP) and through email malspam campaigns.

The most recent Dharma ransomware variant attacks involve an executable file being dropped by a .NET file and HTA file. Infections take place via RDP-enabled endpoints using brute force attempts to guess passwords. Once the password is stolen, the malicious payload is deployed.

While it is not yet known how the Arran brewery attack occurred, a phishing attack is suspected. Phishing emails had been received just prior to file encryption. “We cannot be 100 percent sure that this was the vector that infection occurred via, but the timing seems to be more than coincidental,” said Arran Brewery’s managing director Gerald Michaluk.

To safeguard against RDP attacks, RDP should be turned off unless it is absolutely necessary. If RDP is required, access should only be possible through a VPN and strong passwords should be put in place. Rate limiting on login attempts should be set up to block login attempts after a set number of failures.

Due to this, good backup policies are essential. They will mean that file recovery is possible without payment of a ransom. Multiple copies of backups should be made with one copy held securely off site.

To safeguard against email-based attacks, an advanced spam filter is necessary. Spam filters that rely on AV engines may not spot the latest ransomware variants. Advanced reviews of incoming messages are vital.

SpamTitan can enhance protection for companies through combination of two AV engines and predictive techniques to block new types of malware whose signatures have not yet been installed on AV engines.

For additional information on SpamTitan and safeguarding your email gateway from ransomware attacks and other threats, contact TitanHQ’s security experts today.