Sophos: Dharma Ransomware-as-a-Service Targets SMBs

Cybercriminals are increasingly using Dharma ransomware-as-a-service (RaaS) attacks against small and medium-sized businesses (SMBs) this year, according to British cybersecurity company Sophos. During these attacks, hackers are leveraging various iterations of Dharma source code that have been dumped online or offered for sale.

Approximately 85 percent of Dharma attacks against SMBs in 2020 have been used to expose access tools like remote desktop protocol (RDP), ransomware recovery company Coveware reported. In addition, the average Dharma ransom demand was $8,620; comparatively, the average ransom payment in the first quarter of 2020 was $44,021, Coveware stated.

How Do Dharma RaaS Attacks Work?

Dharma represents "fast-food franchise ransomware," due to the fact that it uses a mass-market, service-based business model, Sophos Senior Threat Researcher Sean Gallagher said. As such, Dharma has quickly become one of the world's most profitable ransomware families — and a top choice to use against SMBs.

Cybercriminals frequently use open-source tools and freeware versions of commercial tools during Dharma attacks, Sophos noted. They also may leverage a menu-driven PowerShell script that installs and launches components required to spread Dharma across an SMB's network.

Furthermore, Dharma attacks use a complex decryption process, Sophos said. After a victim pays a Dharma ransom and requests a recovery key, it is given a tool that extracts the details of any encrypted files. Next, a second decryption key is provided to the victim.

How to Guard Against Dharma Attacks

Sophos offered the following recommendations to help SMBs guard against Dharma attacks:

There is no "single silver bullet" for cybersecurity, Sophos stated. But, with a layered security model, SMBs are well-equipped to identify and address ransomware and other cyberattacks before they cause long-lasting damage.