Dharma, also known as CrySiS, is a ransomware family that has been active since 2016 and continues to be a major threat, particularly to small and medium-sized businesses (SMBs). Unlike some of the more sophisticated ransomware families, Dharma is known for its simplicity and persistence, often targeting organizations with fewer cybersecurity resources. Estimated financial losses associated with Dharma attacks are in the millions of dollars, with thousands of victims worldwide. Industries like healthcare, hospitality, and professional services have been heavily targeted by Dharma. Despite the availability of decryption tools for some variants, Dharma remains a persistent threat in the ransomware landscape.
What is Dharma (CrySiS) Ransomware?
Dharma is a ransomware family that encrypts a victim’s files and demands a ransom for decryption. It is distributed primarily through compromised Remote Desktop Protocol (RDP) sessions, making it one of the most common ransomware threats for organizations that rely on remote access. Once the ransomware gains access to a system, it encrypts files and adds a unique extension to the affected files, typically including the attacker’s contact information. The ransom demands associated with Dharma vary but typically range from $500 to $10,000 in Bitcoin, depending on the size and resources of the targeted organization.
How does Dharma work?
Dharma ransomware primarily spreads through RDP compromises. Attackers gain access to a victim’s system through poorly secured RDP credentials or by exploiting vulnerabilities in the remote desktop protocol. Once inside, Dharma encrypts a wide range of file types, including documents, images, and databases. The ransomware appends a unique extension to each file and leaves behind a ransom note with instructions on how to contact the attackers and pay the ransom. Victims are typically required to pay in Bitcoin, and the ransom amount depends on the size and perceived wealth of the organization. Dharma is known for being particularly difficult to decrypt without the attackers’ cooperation, making backups essential for recovery.
History and Evolution
Dharma first emerged in 2016 and quickly gained traction due to its reliance on RDP vulnerabilities, which allowed attackers to gain access to systems remotely. Over time, Dharma has evolved, with new variants emerging regularly. Some of these variants have been successfully decrypted, thanks to law enforcement efforts and cybersecurity researchers. However, new versions of Dharma continue to appear, making it one of the most persistent ransomware families. The ransomware’s simplicity and reliance on RDP make it a popular choice for attackers targeting SMBs with limited cybersecurity defenses.
Notable Attacks
Dharma has been involved in numerous attacks, particularly targeting small and medium-sized businesses:
- Healthcare Providers: Throughout 2019 and 2020, Dharma ransomware targeted several healthcare providers in the U.S., leading to the encryption of patient records and significant operational disruptions.
- Hospitality Industry: Dharma has been linked to multiple attacks on hotels and hospitality providers, where the ransomware encrypted booking systems and customer data, leading to significant downtime.
- Professional Services: Law firms, accounting firms, and other professional services businesses have been frequent targets of Dharma, as attackers take advantage of the sector’s reliance on sensitive client data to pressure victims into paying ransoms.
Impact and Threat Level
Dharma’s impact has been particularly pronounced in small and medium-sized businesses, where the ransomware can cause significant operational disruptions. The financial losses associated with Dharma vary widely, but for many SMBs, the cost of downtime, data loss, and recovery can be devastating. Ransom payments for Dharma attacks typically range from $500 to $10,000, but the real cost often comes from the disruption to business operations and the need to restore systems. Dharma’s reliance on RDP vulnerabilities makes it a persistent threat to organizations with weak remote access security, and its continued evolution means that new variants regularly emerge, posing a constant challenge for cybersecurity professionals.
Dharma (CrySiS) Ransomware Mitigation and Prevention
To defend against Dharma ransomware, organizations should implement the following security measures:
- Secure RDP Access: Ensure that remote desktop access is secured with strong passwords, multi-factor authentication (MFA), and restricted to essential personnel only.
- Patch Management: Regularly update and patch systems, especially those related to remote access protocols like RDP, to prevent attackers from exploiting vulnerabilities.
- Network Segmentation: Segment critical systems from general networks to minimize the damage caused by ransomware if an attack occurs.
- Data Backups: Maintain regular, offline backups of critical files to ensure that data can be restored in the event of a ransomware attack.
- User Training: Educate employees about the risks of weak passwords and remote access vulnerabilities to reduce the likelihood of compromise.
FAQs
- Why does Dharma primarily target small and medium-sized businesses?
Dharma’s reliance on RDP vulnerabilities makes it easier to target organizations with weaker cybersecurity defenses, which is often the case for small and medium-sized businesses. - How much does Dharma typically demand in ransom?
Ransom demands for Dharma attacks typically range from $500 to $10,000, though the exact amount depends on the size and revenue of the targeted organization. - What industries are most affected by Dharma ransomware?
Healthcare, hospitality, and professional services are among the industries most frequently targeted by Dharma ransomware due to their reliance on sensitive data and remote access systems.
Conclusion
Dharma (CrySiS) ransomware continues to be a persistent threat to organizations worldwide, particularly small and medium-sized businesses that rely on remote desktop access. Its reliance on RDP vulnerabilities makes it a relatively simple yet effective ransomware strain, and its continued evolution ensures that it remains a threat. Despite the availability of decryption tools for some Dharma variants, new versions regularly appear, making it essential for organizations to adopt strong cybersecurity measures, including securing remote access, maintaining regular backups, and patching vulnerabilities. With its wide-ranging impact and low ransom demands, Dharma is likely to remain a significant threat in the ransomware landscape.