Dharma Ransomware Uses AV Tool to Distract from Malicious Activities (May 8, 2019)
Trend Micro researchers have identified a new technique used by threat actors to conceal malicious activities associated with the “Dharma” ransomware. Actors are distributing spam emails with a message persuading them to download a file via a provided link. Once the link is clicked on, the user is prompted to enter their password receiving the file. The downloaded file drops malicious files connected to the Dharma ransomware. To distract the victim, a legitimate installer appears while files are being encrypted in the background, however the malware will still be installed without the installer running. The affected individual is sent a message about where to pay the ransom to decrypt their files.
Recommendation: To help prevent against Dharma, individuals and organizations should secure email gateways, to help prevent against spam and avoid opening suspicious emails. Users should regularly back up files, and keep systems/applications up to date. Ransomware is continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. If a reproducible backup is not available, there may be a decryptor available that can assist in retrieving encrypted files. Additionally, educate your employees about the dangers of downloading applications when they are not offered from the website of the official provider/developer.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.