The source code of a major ransomware strain named Dharma has been put up for sale on two Russian hacker forums over the weekend.
The FBI, in a talk at the RSA security conference this year, ranked Dharma the second most lucrative ransomware operation in recent years, having extorted more than $24 million in payments from victims between November 2016 and November 2019.
Now, its source code is being sold for a price as low as $2,000 — which has security researchers on edge.
Several ransomware experts who spoke with ZDNet today said the sale of the Dharma ransomware code would most likely result in its eventual leak on the public internet, and to a wider audience. This, in turn, would result in the broader proliferation among multiple cybercrime groups, and an eventual surge in attacks.
The reason for everyone’s worries is that Dharma is an advanced ransomware strain, created by a knowledgeable malware author. Its encryption scheme is very advanced, and has been undecryptable since 2017.
To be more precise, the only times the ransomware was “decrypted” was after unknown individuals leaked the master decryption keys — and not because of an encryption flaw.
A short history of Dharma
The Dharma ransomware operation has a long and sinuous history. It initially started out under the name of CrySiS in the summer of 2016.
CrySis was a so-called Ransomware-as-a-Service (RaaS) operation. The CrySiS author created a service where customers (other criminal gangs) could generate their own versions of the ransomware to distribute to victims — usually via spam campaigns, exploit kits, or brute-force attacks on RDP endpoints.
After someone leaked the CrySiS master decryption keys online in November 2016, the CrySiS RaaS relaunched under the name of Dharma two weeks later.
While some Dharma master decryption keys were also leaked online in March 2017, Dharma operators didn’t rebrand this time around, and continued to operate undisturbed, building their RaaS into one of the biggest ransomware turnkey solutions in the criminal underworld.
For years, there has been a constant flow of new Dharma versions, as the ransomware received updates and new customers signed up to distribute it all over the globe, each spreading its own unique Dharma variation.
As the criminal underground adapted in 2018 and 2019 — from ransomware mass-distribution (via email spam) to targeted attacks (on corporate networks) — so did Dharma.
In the spring of 2019, a new ransomware strain called Phobos emerged online, used primarily in targeted attacks. Security researchers from Coveware and Malwarebytes were quick to point out that Phobos was nearly identical with Dharma.
But Dharma didn’t die out once the new Phobos branch was released. Michael Gillespie, a malware researcher at Emsisoft, and the creator of ID-Ransomware, told ZDNet that uploads to the ID-Ransomware service remained about 50-50 for both Dharma and Phobos throughout last year.
These stats are also confirmed by cyber-security firm Coveware, which said in a report that Dharma amounted for 9.3% of ransomware incidents in Q4 2019, while Phobos accounted for 10.7%.
Jakub Kroustek, threat intel lead at Avast, spotted three new Dharma versions this week alone, which means criminal groups are still finding Dharma’s code reliable and continue to use it even today, more than three years since its launch.
John Fokker, head of cyber investigations at McAfee, told ZDNet that the Dharma code had already been circulating in the hacker underground for quite some time and that it’s only now surfacing on more public forums.
Gillespie, who released tens of ransomware decrypters in the past and has even received an FBI award for his efforts, told ZDNet he’s been unable to find decryption flaws in Dharma in the past.
Fokker now hopes that the Dharma source code eventually finds its way into the hands of security researchers.
“If we (good guys) can get our hands on the source, we might be able to find some flaws,” Fokker told ZDNet today.