Dharma ransomware resurfaces with a new variant

A new variant of the Dharma ransomware (‘.arrow’) has been observed in the wild. This variant appends the extension ‘.arrow’ to the files it encrypts and spreads via spam emails.

 

How Dharma encrypts its victim’s files

Once executed, the ‘.arrow’ variant of Dharma uses the below command to disable Windows’ repair and backup option using vssadmin.exe.

C:\Windows\system32\vssadmin.exe, vssadmin delete shadows /all /quiet

It creates the below process using mode.com which is a genuine process of Windows.

C:\Windows\system32\mode.com, mode  con cp select=1251

 

 

The actual use of mode.com is after the restart of the computer. It turns the settings of the communications port (COM port) to the default.

Fig. 1 Command to delete the backup files.

 

After execution of the above commands, Dharma starts its encryption activity. During our analysis, we found that that the ransomware basically encrypts both PE and Non-PE files and the extensions which it successfully encrypts while generating the scenario are as follows.

“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRFEncodedFiles .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJR.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”

 

The dropped infection marker files and encrypted files have the following pattern.

Fig. 2 Encrypted files pattern.

From the dropped infection marker files, .hta and .txt file have ransom note.

Dharma’s ransom note

Fig. 3 Ransom note

Fig. 4 Ransom note

Quick Heal proactively protects its users from the ‘.arrow’ variant of Dharma ransomware with its behavior-based and static detection features.

 

               Fig. 5 Behavior Detection

               Fig. 6 Static detection.

 

How to stay away from ransomware

• Use a multi-layered antivirus that can stop real-time threats.
• Keep your antivirus up-to-date.
• Update your Operating System regularly as critical patches are released every day.
• Keep your software up-to-date.
• Never directly connect remote systems to the Internet.
• Do not click on links or download attachments in emails received from unknown sources.
• Take regular data backup and keep it in a secure location.

 

Indicator of Compromise

• MD5: – d07bc4924a0b84f4f36871b47eed0593

 

Subject matter experts

Priyanka Dhasade, Shalaka Patil, Shashikala Halagond | Quick Heal Security Labs