Security researchers have discovered a new variant of Dharma Ransomware which appends .brrr extensions to the encrypted files.
The new variant of ransomware was discovered by security researcher Jakub Kroustek.
The ransomware targets remote desktop services connected directly to the internet. The attacker will scan for systems running on RDP on TCP port 3389 and attempts to gain access by brute force technique.
Working of Dharma Ransomware
After installing, the ransomware will scan for files and starts encrypting them. While encrypting the ransomware will append an extension in the format .id-[id].[email].brrr. For example, 1.jpg file will be encrypted and renamed as 1.jpg.id-BCBEF35.[email@example.com].brrr.
While encrypting the files, the ransomware will create two different ransom notes one is Info.hta file which will be launched automatically when the user logs into the computer.
The second one is called FILES ENCRYPTED.txt and will be found on the users desktop.
The ransom note contains details on what happened to victims file and payment instructions.
The victims are asked to email to firstname.lastname@example.org to get payment instructions.
The ransomware is designed to start automatically when you log in to the computer. The ransomware will also encrypt all the mapped network drives, shared virtual machine host drives and unmapped network drives.
Always follow these basic instructions to protect yourself from Dharma Ransomware attack:
In this case, the ransomware is installed through remote desktop services so always make sure that RDP is not directly connected to the internet instead connect it via a VPN.
- Perform regular backups. Ideally, this data should be kept on a separate device, and backups should be stored offline
- Maintain updated Antivirus software for all systems
- Don’t open attachments in unsolicited e-mails, even if they come from people in your contact list, and never click on a URL contained in an unsolicited email, even if the link seems benign. In cases of genuine URLs close out the e-mail and go to the organization’s website directly through the browser.
- Keep the operating system and third-party applications (MS office, flash player, browsers, browser Plugins) up-to-date with the latest patches.
You may be interested in reading:42 Million Records of Credential Stuffing Data Discovered on the Free Hosting Service Kayo.moe