Group of unskilled Iranian hackers behind recent attacks with Dharma ransomware

Cyber-security firm Group-IB says it identified a group of low-skilled hackers operating out of Iran that has been launching attacks against companies in Asia and attempting to encrypt their networks with a version of the Dharma ransomware.

The attacks have targeted companies located in Russia, Japan, China, and India, according to a report Group-IB researchers published today.

The security firm described the group as “newbie hackers” based on the low level of sophistication and simple tactics and tools employed during attacks.

Per the report, the group used only publicly-available hacking tools, either open-sourced on GitHub or downloaded from Telegram hacking channels.

This included the likes of Masscan, NLBrute, Advanced Port Scanner, Defender Control, or Your Uninstaller.

This suggests the group is not capable of developing their own hacking tools, or they do not (yet) possess the monetary resources to buy access to private and more advanced hacking utilities.

Even the use of the Dharma ransomware is considered a sign of a low-skilled attacker today, primarily because the ransomware’s source code was put up for sale and then leaked online earlier this year, making it available to any newcomers at literally no development cost.

Group breaches companies via RDP endpoints

Group-IB says this hacker gang prefers targeting Remote Desktop Protocol (RDP) endpoints to breach a target’s network.

RDP endpoints are today’s top entry vector into enterprise networks for ransomware gangs, according to reports from multiple cybersecurity firms, primarily due to the ease of identifying RDP systems and brute-forcing their credentials.

Group-IB says that despite attacking companies in the private sector, this particular Iranian hacking group has not demanded ransoms in the realm of hundreds of thousands or millions of US dollars — which has become the norm for most ransomware gangs today.

Instead, the group has requested small ransom payments ranging from 1 to 5 bitcoin ($10k to $50k), most likely to ensure they’re getting paid and that they go under the radar, while authorities focus on the bigger gangs ransoming companies for millions.

In the grand scheme of things, this “newbie” group is a far cry from Iran’s most infamous ransomware gang: the operators of the SamSam ransomware.

SamSam was a professional hacker group who developed a very advanced ransomware strain that they used to target large corporations and government entities. The group wreaked havoc across the US in 2018 before disappearing after the US Department of Justice charged two of its members in December 2018.

However, even if this newer group is not as advanced and skilled as SamSam, companies shouldn’t ignore the risk they pose. Since 2017-2018, the cybercrime ecosystem has evolved to automate, simplify, and monetize the entire process of breaching companies and deploying ransomware.

While in 2017-2018, an group needed talented hackers to pull off a ransomware attack, today, even “newbie” groups like the ones in the Group-IB report can download hacking tools and follow tutorials shared on hacking forums to orchestrate their own intrusion and ransom attacks in a matter of days.

While some security experts will pin the blame on the proliferation of offensive hacking tools and hacking tutorials, the actual problem is entirely with companies, many of which are still failing at basic security hygiene, such as securing RDP systems they expose online with proper passwords, or patching servers and edge networking equipment, leaving glaring holes that even low-skilled hackers can exploit.