Dharma
Known to be a RaaS
Description
Dharma is a prolific ransomware family active since at least 2016, evolving from the earlier CrySiS ransomware. It operates under a Ransomware-as-a-Service (RaaS) model, allowing affiliates to deploy customized builds with their own contact emails and extensions. Dharma typically appends encrypted files with patterns like .id-[victimID].[email].dharma or other campaign-specific suffixes. Initial access is often gained through exposed Remote Desktop Protocol (RDP) services secured with weak or stolen credentials, sometimes combined with brute-force attacks. The malware encrypts files using AES with RSA to secure the keys and drops ransom notes in text files and pop-up windows. Numerous variants have emerged over time, each linked to different affiliates, making attribution difficult.
| External Analysis |
| https://www.bleepingcomputer.com/news/security/dharma-ransomware-switches-to-the-aes-256-encryption-algorithm/ |
| https://www.cisa.gov/news-events/alerts/aa23-259a |
| https://www.trendmicro.com/en_us/research/19/h/dharma-ransomware-continues-to-target-servers-via-open-rdp-ports.html |