grandeduc - Fotolia

How does the new Dharma Ransomware variant work?

Brrr ransomware, a Dharma variant, was found adding malicious extensions to encrypted files. Discover how this is possible and how this attack can be mitigated with Judith Myerson.

Brrr, a new Dharma Ransomware variant, appends malicious extensions to encrypted files. How does this variant work? How can users protect themselves?

Dharma Ransomware is a cryptovirus that encrypts user files and demands a ransom in exchange for a decryption key. The malware is manually delivered by attackers who exploit Remote Desktop Protocol (RDP) services via TCP port 3389 and brute force the password to gain access to a computer.

AES is used to encrypt files on unprotected mapped network drives, shared virtual machine host drives and unmapped network shares. With the Dharma Ransomware attack, a ransom note is added to encrypted text files, such as FILES ENCRYPTED.txt or Info.hta, and a contact email address is included to relay payment instructions.

At least 15 variants of the Dharma Ransomware have been released since 2016, with the latest versions including an email address to contact attackers, as well as file extensions attached to encrypted files. While payment instructions differ with each variant, the Brrr ransomware variant -- which was detected in September 2018 -- encrypts a file, like abc.doc, and appends the extension .brrr; for example,[[email protected]].brrr.

Another Dharma Ransomware variant, Dharma-Btc, surfaced in late 2016 and provided victims with instructions on how to make payments with bitcoin. This variant appends .btc to the file extension, as well as the encryption identification and email contact address, similar to the Brrr variant.

A week after the Brrr ransomware was found, Gamma ransomware was detected. This variant can test decryption and offers instructions on how to create a cryptocurrency wallet. Other variants include file extensions appended with .wallet, .zzzzz, .combo, .bkp and .onion.

The number one defense against Dharma Ransomware is removing support for RDP, which is considered unsafe for most uses. Other methods to defend against Dharma Ransomware include backing up important files and moving computers that must run RDP behind VPNs.

Users can also use attachment scanning, ignore suspicious attachments and use different passwords for different sites. Likewise, free decryptor tools are available for some variants; however, these tools need to be scanned for vulnerabilities.

Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)

Dig Deeper on Threats and vulnerabilities

Enterprise Desktop
Cloud Computing