Inside the World of Dharma Ransomware-as-a-Service
Recent research by Sophos titled “Color by Numbers: Inside a Dharma RaaS Attack” gives us a fresh, detailed look at how this notorious ransomware is rolled out to cybercriminals. The report pulls apart the automated scripts, toolsets, and back‑end infrastructure that the operators package with their malicious offerings.
What Makes Dharma Tick?
- Mass‑market charm – Since 2016, Dharma has evolved into one of the most profitable ransomware families, thanks to its service‑based model that’s as accessible as a fast‑food chain.
- Variants galore – Source code snapshots are often dumped online or sold on the sly, leading to a dozenish variations that keep defenders guessing.
- Target focus – In 2020, a whopping 85% of Dharma attacks aimed at SMBs exploited exposed Remote Desktop Protocol (RDP) connections. Coveware reports the typical ransom hovered around $8,620 USD.
“Dharma is like a fast‑food franchise for ransomware: it’s cheap, it’s everywhere, and it’s easy to snag,” quips Sean Gallagher, senior threat researcher at Sophos.
Why SMBs Are at Risk
During the pandemic, many small companies had to shift to remote work, stretching already thin IT staffs. This created a perfect storm:
- Executive order: We’re suddenly remote‑first, but border systems are still open.
- IT overload: Monitoring and patching lag behind because staff are juggling new tools.
- Result: Vulnerable infrastructure and device pools ripe for exploitation.
With the “Toolbox” script in hand, Dharma affiliates can deploy a menu‑driven PowerShell routine that jumps straight into the target network. The script boldly announces itself with a grin: “Have fun, bro!”
The Two‑Stage Decryption Riddle
Even when a victim ropes an affiliate in for a key, the process is a two‑step maze:
- First pass – An extractor tool pulls out all encrypted file metadata.
- Second pass – Affiliates pass that data back to the main operators, who hand out the actual decryption key.
Effectiveness varies wildly. Gallagher notes that some affiliates keep a portion of the keys to tip the scales for another ransom, turning a simple recovery into a bargaining game.
Remember the Low‑Cost Gangsters
While headlines are dominated by multi‑million‑dollar attacks and “high‑profile” ransomware like WastedLocker, Dharma is still out there, targeting dozens of smaller businesses for that sweet $8k sweet spot. Their success is a reminder that the threat landscape is still wide open for opportunists.
Stay Ahead: Subscribe for Real‑Time Updates
- Get the latest cybersecurity insights straight to your device.
- Catch every new ransomware twist before it hits your inbox.
