A new variant of the Dharma ransomware (‘.arrow’) has been observed in the wild. This variant appends the extension ‘.arrow’ to the files it encrypts and spreads via spam emails.
How Dharma encrypts its victim’s files
Once executed, the ‘.arrow’ variant of Dharma uses the below command to disable Windows’ repair and backup option using vssadmin.exe.
C:\Windows\system32\vssadmin.exe, vssadmin delete shadows /all /quiet
It creates the below process using mode.com which is a genuine process of Windows.
C:\Windows\system32\mode.com, mode con cp select=1251
The actual use of mode.com is after the restart of the computer. It turns the settings of the communications port (COM port) to the default.
Fig. 1 Command to delete the backup files.
After execution of the above commands, Dharma starts its encryption activity. During our analysis, we found that that the ransomware basically encrypts both PE and Non-PE files and the extensions which it successfully encrypts while generating the scenario are as follows.
“PNG .PSD .PSPIMAGE .TGA .THM .TIF .TIFF .YUV .AI .EPS .PS .SVG .INDD .PCT .PDF .XLR .XLS .XLSX .ACCDB .DB .DBF .MDB .PDB .SQL .APK .APP .BAT .CGI .COM .EXE .GADGET .JAR .PIF .WSF .DEM .GAM .NES .ROM .SAV CAD Files .DWG .DXF GIS Files .GPX .KML .KMZ .ASP .ASPX .CER .CFM .CSR .CSS .HTM .HTML .JS .JSP .PHP .RSS .XHTML. DOC .DOCX .LOG .MSG .ODT .PAGES .RTF .TEX .TXT .WPD .WPS .CSV .DAT .GED .KEY .KEYCHAIN .PPS .PPT .PPTX ..INI .PRFEncodedFiles .HQX .MIM .UUE .7Z .CBR .DEB .GZ .PKG .RAR .RPM .SITX .TAR.GZ .ZIP .ZIPX .BIN .CUE .DMG .ISO .MDF .TOAST .VCD SDF .TAR .TAX2014 .TAX2015 .VCF .XML Audio Files .AIF .IFF .M3U .M4A .MID .MP3 .MPA .WAV .WMA Video Files .3G2 .3GP .ASF .AVI .FLV .M4V .MOV .MP4 .MPG .RM .SRT .SWF .VOB .WMV 3D .3DM .3DS .MAX .OBJR.BMP .DDS .GIF .JPG ..CRX .PLUGIN .FNT .FON .OTF .TTF .CAB .CPL .CUR .DESKTHEMEPACK .DLL .DMP .DRV .ICNS .ICO .LNK .SYS .CFG”
The dropped infection marker files and encrypted files have the following pattern.
Fig. 2 Encrypted files pattern.
From the dropped infection marker files, .hta and .txt file have ransom note.
Dharma’s ransom note
Fig. 3 Ransom note
Fig. 4 Ransom note
Quick Heal proactively protects its users from the ‘.arrow’ variant of Dharma ransomware with its behavior-based and static detection features.
Fig. 5 Behavior Detection
Fig. 6 Static detection.
How to stay away from ransomware
- Use a multi-layered antivirus that can stop real-time threats.
- Keep your antivirus up-to-date.
- Update your Operating System regularly as critical patches are released every day.
- Keep your software up-to-date.
- Never directly connect remote systems to the Internet.
- Do not click on links or download attachments in emails received from unknown sources.
- Take regular data backup and keep it in a secure location.
Indicator of Compromise
- MD5: – d07bc4924a0b84f4f36871b47eed0593
Subject matter experts
Priyanka Dhasade, Shalaka Patil, Shashikala Halagond | Quick Heal Security Labs