Lately, ransomware has become very popular among hackers. It not only causes severe downtime but also leads to a significant amount of data loss. Ransomware is basically is a malware that is used to encrypt user data and block access to it. The data can only be accessed a ransom is paid to the hacker or the ones behind the attack. Over the past couple of years, ransomware has evolved and today it has several variants. Also, the main reason behind its popularity is its effectiveness — it is practically very difficult to break the encryption and sometimes it’s even impossible.
Dharma is one such ransomware that is considered to be one of the most notorious. Since 2006, this ransomware is continuously evolving and has become increasingly active lately. According to a source, it has increased by a margin of 148% from February 2019 to April 2019.
In this article, we are going to have a deep look at this filthy ransomware — how it works and why it is one of the most dangerous ransomware in the family.
How does Dharma Ransomware Work?
Dharma is a family of encryption ransomware Trojan that has compromised numerous computers all across the world till date. This ransomware targets mainly directories inside the Users directory on Windows. Every time a file is added to the directory, this malicious thing encrypts the file and adds a suffix [email@example.com].dharma.
One of the unique things about Dharma is that it doesn’t affect the entire computer, but it hides inside the system and keeps encrypting files every time they are added to the directory. So basically, one has to remove it in order to decrypt the files. The ransomware usually has a ransom not; however, it changes depending on the variant.
But you must be wondering — how this ransomware ends up being inside a computer? So, what basically happens is, the ransomware is spread across the world through email campaigns claiming to be legit (the email is usually about being the Windows machine under risk) and asking the user to download a password protected attachment named Defender.exe. Talking about the password, it is listed in the email itself along. The entire process is so effective that numerous people over the years have ended downloading it.
That is not all, the real game starts when the user executes the downloaded file. It is basically a self-extracting archive that drops the malicious file called taskhost.exe along with an old version of ESET AV Remover renamed as Defender_nt32_enu.exe. Once the extraction is done, the ESET AV Remover installer automatically launches and makes the victim feel that the entire process is legit and distracts him/her from noticing Dharma encrypting the contents of the hard drive in the background.
Pulling out such an effective trick through email campaign is not something really easy. No doubt, the ransomware is notorious and dangerous enough. But, the hackers behind are seemed wittier and experts of social engineering as it’s not just technology behind Dharma but the convincing campaigns that lead to the installation of malicious software.
How To Stay Safe?
As we know that email campaign is one of the major ways of distributing this notorious ransomware, so the first thing we need to do is to see that the email we are receiving is coming from an authentic source. Also, if the attachment is a tool that would sort out the problem in your system then check the tool is legit, updated — a legit vendor would never distribute an outdated tool.
If that doesn’t work for you and you still want to keep your files safe, then adopt the habit of backing up files. Back up is considered to be one of the best practices in cybersecurity. So, even if your files get affected or encrypted by any ransomware, you always have a different set to work.
Cyber-attacks will keep happening as the technology is not only empowering innovative organisations, but also the wrongdoers. Be prepared to tackle cyber threats — prepared enough to at least mitigate the consequences.