Dharma Ransomware Used to Steal Money by Exploiting RDP Access
Iranian hackers are using Dharma ransomware and remote control software to compromise computers. The goal of the attacks is to steal money from victim corporations across the globe. The Iranian threat actors continue to leverage new exploitable vulnerabilities to attack organizations running that are running their businesses remotely.
The cyber criminals that attack with Dharma ransomware target companies that use remote desktop protocol (RDP) software for tech support. RDP software is a common application used by computer tech support personnel to remote control a user’s computer. RDP software typically uses port 3389 to remotely connect to an employee’s computer anywhere in the world.
Some attackers even attempt to increase their success by exploiting CVE-2013-0213 – Samba Web Administration Tool (SWAT) that allows remote attackers to conduct click jacking attacks via a FRAME or IFRAME element.
Ransomware attacks are a major concern for corporations. The increase in people working from home gives cyber criminals more opportunities to compromise corporate assets. Phishing emails, malicious websites, and infected USB flash drives are all common ways to infect a computer or IT network with ransomware.
The typical employee working from home has little useful cyber security training, and even a basic course like cyber security essentials could help prevent an attack on corporate servers .
What is Dharma Ransomware?
Dharma, also known as Crysis, is a RaaS (ransomware-as-a-service) model. In the RaaS model threat actors write and maintain malware, however, the malware is distributed by other cybercriminals who pay a percentage of the ransom as a fee for using the ransomware.
Industries attacked with Dharma Ransomware
- Financial Services
“The fact that Dharma source code has been made widely available led to the increase in the number of operators deploying it. It’s surprising that Dharma landed in the hands of Iranian script kiddies who used it for financial gain, as Iran has traditionally been a land of state-sponsored attackers engaged in espionage and sabotage.” Oleg Skulkin, Senior Digital Forensic Specialist says.
Threat actors exploit the knowledge of the typical RDP configuration and attack users who use weak passwords. Brute force password attacks are used to gain access to the machine.
Once the threat actor gains access to the target’s computer through the RDP software, they can remote control the compromised computer to edit, delete, or install anything they want.
Dharma ransomware was first seen in the wild in 2016. This wave of attacks started in June 2020 and has targeted companies in Russia, Japan, China, and India.
“Despite these cyber criminals use quite common tactics, techniques, and procedures they have been quite effective,” says Skulkin.
How Does a Cyber Security Training Program Work?
A robust security policy and device management can help prevent ransomware attacks. All employees should have at least basic security training to recognize phishing emails and understand the consequences of clicking on links in emails or downloading malicious attachments.
While traditional training includes in-person sessions, a modern cyber security training program can be provided through online courses that are cost-effective for employers and convenient to schedule for employees.
Employees can take additional cyber security training to expand their knowledge or to earn certifications.