Edition Zdnet reports that last weekend at two Russian-speaking hacker forums, the source code for one of the most profitable ransomware of our time, the Dharma ransomware, appeared on sale. Sources are sold for $ 2,000.
Let me remind you that this year the FBI called Dharma the second most profitable ransomware in recent years with its report at the conference and RSA. So, from November 2016 to November 2019, ransomware operators received $ 24 million in ransom from their victims.
ZDNet quotes several unnamed information security experts who agree that the current sale of the Dharma code is likely to soon result in a leak into the public domain. That is, the malware will become available to a wider audience. This, in turn, will lead to a wide distribution of source codes among many hack groups, and this will ultimately be followed by a surge of attacks.
However, the head of the cyber intelligence department at McAfee told ZDNet that the Dharma code has been circulating among hackers for a long time, and now it just appeared on public forums. At the same time, the expert expressed the hope that sooner or later the source code will fall into the hands of information security specialists, and this will help to identify the shortcomings of the malware and create decoders.
The publication recalls that Dharma has existed since 2016, and the ransomware underlying this malvari was originally called CrySiS. He worked under the ransomware-as-a-service (RaSomware-as-a-Service, RaaS) scheme, that is, other criminals could create their own versions of malware to distribute, usually through spam campaigns, exploit kits, or RDP brute force.
At the end of 2016, a user with the nickname crss7777 posted on the Bleeping Computer forums a link to Pastebin containing master keys from the CrySiS encryptor, which, as experts later established, were genuine. After that, CrySiS ceased to exist, “reborn” as Dharma.
And although Dharma keys suffered the same fate in 2017, this time the ransomware operators did not rebrand and continued to work, eventually turning their RaaS into one of the most popular ransomware on the market.
So, in recent years, Dharma regularly receives updates. For example, in 2018 and 2019, the criminal underground adapted to new trends and moved from the mass distribution of ransomware through mail spam to targeted attacks on corporate networks. Dharma operators did the same.
It is noted that in the spring of 2019, a new strain of Phobos ransomware appeared on the network, used mainly for targeted attacks. Company Researchers Cowware and Malwarebytes noted that it is almost identical to Dharma. However, Dharma at the same time did not cease to exist and continued to work in parallel with Phobos. For example, Avast experts noticed three new versions of Dharma last week.