The source code for ransomware-as-a-service (RaaS) strain Dharma could now be in the hands of more cybercriminals, as hackers have reportedly put it up for sale for just $2,000.
Dharma evolved from the CrySIS RaaS variant after an anonymous source posted the CrySIS decryption keys online in 2016, and again several times through 2017. Dharma is commonly delivered via spam email as a Trojan in software installers. It is also commonly installed over RDP connections via leaked credentials. Said to heavily target the US healthcare sector, its developers have frequently updated it to produce encrypted files with different extensions. It sometimes uninstalls security software on the victim’s system as part of its attack.
Dharma victims have even included security surveillance cameras in Washington DC, but according to anti-ransomware consulting company Coveware, the ransomware hits small businesses especially hard and charges as little as $1,500 for file recovery.
According to the FBI, CrySis/Dharma was the second most profitable ransomware variant on the internet, netting $24.48m from November 2016 to November 2019. That represented just 40% of the profits made by the leader, Ryuk, but was also three times more than the number three earner, BitPaymer.
Someone also posted the Dharma decryption keys in 2017, although more recent versions use new keys that have not yet been publicly disclosed. Coveware says that its decryption process is more complex than those used by many other ransomware systems.
After paying the ransom, victims must run a scanning tool to produce a key that they then send to the attacker. Only then does the attacker produce the decryption key. They can run into problems using it if any files are changed in the interim. This could require a new key, for which the ransomware authors can charge the victim again.
If the ransomware code falls into the hands of other crooks, it could spark a proliferation of Dharma-derived ransomware tools. The world saw something similar with the Mirai IoT botnet code, which the authors published as open source at the end of 2016. However, an upside is that the source code might also allow ransomware researchers to gain more insight into the encryption code and possibly produce newer decryption keys.