This ransomware sneakily infects victims by disguising itself with anti-virus software

This file-locking malware family has evolved a new tactic which abuses trust to create new ransomware victims.
Written by Danny Palmer, Senior Writer

A successful family of ransomware which has been terrorising organisations around the world has been updated with a new trick to lure victims into installing file-locking malware: posing as anti-virus software.

Dharma first emerged in 2016 and the ransomware has been responsible for a number of high-profile cyber incidents, including the takedown of a hospital network in Texas late last year.

The group behind Dharma regularly look to update their campaigns in order to ensure the attacks remain effective and they have the best chance of extorting ransom payments in exchange for decrypting locked networks and files of Windows systems.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

Now the cyberattacks have evolved again and cybersecurity researchers at Trend Micro have detailed a new means of the Dharma being deployed: by bundling it inside a fake anti-virus software installation.

Like many ransomware campaigns, Dharma attacks start off with phishing emails. The messages claim to be from Microsoft and that the victim's Windows PC is 'at risk' and 'corrupted' following 'unusual behaviour', urging the user to 'update and verify' their anti-virus by accessing a download link.

If the user follows through, the ransomware retrieves two downloads: the Dharma ransomware payload and an old version of anti-virus software from cyber security company ESET.

When the self-extracting archive runs, Dharma begins encrypting files in the background while the user is asked to follow installation instructions for ESET AV remover – the interface is displayed on their desktop and requires user interaction during the installation process, acting as a distraction from the malicious activity.

Once the installation is complete, the victim will find themselves confronted with a ransom note, demanding a cryptocurrency payment in exchange for unlocking the files.

"The article describes the well-known practice for malware to be bundled with legitimate application(s). In the specific case Trend Micro is documenting, an official and unmodified ESET AV Remover was used. However, any other application could be used this way," said an ESET statement, after being informed about the research by Trend Micro.

While not as high profile as it was during the height of attacks like WannaCry and NotPetya in 2017, ransomware still remains a threat to organisations as attackers continue to develop and deploy new tactics and variants of the file-locking malware.

"As proven by the new samples of Dharma, many malicious actors are still trying to upgrade old threats and use new techniques. Ransomware remains a costly and versatile threat," said Raphael Centeno, security researcher at Trend Micro.

To avoid falling victim to Dharma and similar threats, researchers recommend that organisations adopt good cybersecurity hygiene, such as securing email gateways, regularly backing up files, and keeping systems and applications patched and updated.

The Indicators of Compromise for this Dharma campaign have been shared in the Trend Micro analysis of the attack.


Editorial standards