July 5, 2021 — Acronis

Threat analysis: Dharma (CrySiS) ransomware

Cyber Protect Cloud

Summary

  • Dharma has been known since 2016 as the CrySiS ransomware family
  • Dharma employs a ransomware-as-a-service (RaaS) model
  • The analyzed sample was discovered in early March 2021, and contains the debug string c:\crysis\release\pdb\payload.pdb — pointing to CrySiS as the parent ransomware family
  • This variant of Dharma ransomware appends a .biden file extension

Attack vector

Dharma ransomware (a.k.a. CrySiS) is used in targeted attacks, and is delivered by cybercriminals manually through Remote Desktop Protocol (RDP) connections, typically by exploiting leaked or weak credentials.

Deobfuscation and runtime linking

Once launched, the malware uses the RC4 encryption algorithm to decrypt strings with the names of the imported functions. The RC4 key size is 128 bytes:

4FFFC580AA882DBA5B59B556B324D06A09ADA8A303F00F46073C034C1736166DBF75F6C918DB44CDD25727A9A8725814B300EAE73FF36D49F45B092F459049CBD2117B56B8D745BBD30DC9E0F76D99A106175CB0A72BE1222D31B970B3B9C79718C5938171C04B7C8C39609B3C405824C75A1986D432145D21CE7E7087B2D7F1

The decrypted strings are used to obtain the addresses of imported functions during runtime linking.

The same encryption algorithm (RC4) is used to decrypt the strings necessary for code execution.

Installation

To start its process as 32-bit on any platform, Dharma disables redirection of the file system to WOW64 using the procedure Wow64DisableWow64FsRedirection().

The malware then copies its original file to the Windows %System% folder, preserving the original file name:

%System%\<original_file_name>.exe  

To automatically start on system boot, Dharma specifies the path to its file in the autorun key of the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

<original_file.name>.exe = %System%\<original_file_name>.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

<original_file.name>.exe = %System%\<original_file_name>.exe

It also reads the values ​​of the “Startup” parameter of the following keys in the system registry:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]

and determines the path to the Startup folder. Then, it copies its original file there:

%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\<original_file_name>.exe

Next, Dharma determines the name of another Startup folder by reading the value of the parameter “Common Startup” in the following keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]

And copies its file to this folder:

%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\<original_file_name>.exe

Payload

Dharma creates mutexes with the following names to ensure that only one instance of ransomware is running in the system:

Global\\syncronize_FQBL57A

Global\syncronize_FQBL57U

Dharma determines the Windows version. If the version is lower than Windows Vista, the malware exits. It also checks for the presence of the mutexes mentioned above. If no mutexes have been created, it exits.

To unlock database files, Dharma first attempts to stop the following database services:

  • FirebirdGuardianDefaultInstance
  • FirebirdServerDefaultInstance
  • sqlwriter
  • mssqlserver
  • sqlserveradhelper

It also tries to stop any processes with the following names:

  • 1c8.exe
  • 1cv77.exe
  • outlook.exe
  • postgres.exe
  • mysqld-nt.exe
  • mysqld.exe
  • sqlservr.exe

After that, the ransomware starts cmd.exe and sends the command through a pipe that sets the “Windows-1251” code page. Dharma also deletes file backups (Shadow Copies) using the vssadmin tool.

mode con cp select = 1251 

vssadmin delete shadows / all / quiet

Exit

Dharma performs the following actions in separate threads:

  • Searches and terminates processes, as well as stops the services described earlier.
  • Gets a serial number of a system disk using the function GetVolumeInformationW(). Next, the hash is calculated for the serial number using SHA1 algorithm — the resulting hash is used as a key for RC4 encryption.

  • Encrypts files in four threads.
  • Performs a recursive search for files on all logical drives and checks if they are located in %WinDir%.
  • Searches for all available network resources and tries to encrypt files in public shares:

File encryption

Dharma first receives a list of files on the victim's computer for encryption, excluding the ones in %WinDir%. The ransomware also skips the files with the following names and extensions:

boot.ini

bootfont.bin

ntldr

ntdetect.com

Io.sys

Manual.txt

Info.hta

.exe

File encryption is performed with AES-256 in CBC mode using a 256-bit encryption key as well as a 128-bit initialization vector, which are generated separately for each file. Key generation is done using pseudo-random values based on the current timestamp, SHA1 hashing, and RC4 algorithm.

To load the master public RSA key, Dharma decrypts the modulus and exponent values ​​from its body.

RSA modulus:

Exponent: 65537 (0x10001)

The RSA_pub_key_new() function is then used to import the master public RSA key:

The generated 256-bit file key (AES) is encrypted with the master public 1024-bit key (RSA).

Presumably, SHA1 hashing is used to verify the integrity of the loaded RSA key data.

Dharma encrypts files with the following extensions:

 .1cd, .3ds, .3fr, .3g2, .3gp, .7z, .accda, .accdb, .accdc, .accde, .accdt, .accdw, .adb, .adp, .ai, .ai3, .ai4 , .ai5, .ai6, .ai7, .ai8, .anim, .arw, .as, .asa, .asc, .ascx, .asm, .asmx, .asp, .aspx, .asr, .asx ;. avi, .avs, .backup, .bak, .bay, .bd, .bin, .bmp, .bz2, .c, .cdr, .cer, .cf, .cfc, .cfm, .cfml, .cfu, .chm, .cin, .class, .clx, .config, .cpp, .cr2, .crt, .crw, .cs, .css, .csv, .cub, .dae, .dat, .db, .dbf , .dbx, .dc3, .dcm, .dcr, .der, .dib, .dic, .dif, .divx, .djvu, .dng, .doc, .docm, .docx, .dot, .dotm ;. dotx, .dpx, .dqy, .dsn, .dt, .dtd, .dwg, .dwt, .dx, .dxf, .edml, .efd, .elf, .emf, .emz, .epf, .eps, .epsf, .epsp, .erf, .exr, .f4v, .fido, .flm, .flv, .frm, .fxg, .geo, .gif, .grs, .gz, .h, .hdr, .hpp , .hta, .htc, .htm, .html, .icb, .ics, .iff, .inc, .indd, .ini, .iqy, .j2c, .j2k, .java, .jp2, .jpc ;. jpe, .jpeg, .jpf, .jpg, .jpx, .js, .jsf, .json, .jsp, .kdc, .kmz, .kwm, .lasso, .lbi, .lgf, .lgp, .log, .m1v, .m4a, .m4v, .max, .md, .mda, .mdb, .mde, .mdf, .mdw, .mef, .mft, .mfw, .mht, .mhtml, .mka, .mkidx , .mkv, .mos, .mov, .mp3, .mp4, .mpeg, .mpg, .mpv, .mrw, .msg, .mxl, .myd, .myi, .nef, .nrw, .obj ;. odb, .odc, .odm, .odp, .ods, .oft, .one, .onepkg, .onetoc2, .o pt, .oqy, .orf, .p12, .p7b, .p7c, .pam, .pbm, .pct, .pcx, .pdd, .pdf, .pdp, .pef, .pem, .pff, .pfm, .pfx, .pgm, .php, .php3, .php4, .php5, .phtml, .pict, .pl, .pls, .pm, .png, .pnm, .pot, .potm, .potx, .ppa , .ppam, .ppm, .pps, .ppsm, .ppt, .pptm, .pptx, .prn, .ps, .psb, .psd, .pst, .ptx, .pub, .pwm, .pxr ;. py, .qt, .r3d, .raf, .rar, .raw, .rdf, .rgbe, .rle, .rqy, .rss, .rtf, .rw2, .rwl, .safe, .sct, .sdpx, .shtm, .shtml, .slk, .sln, .sql, .sr2, .srf, .srw, .ssi, .st, .stm, .svg, .svgz, .swf, .tab, .tar, .tbb , .tbi, .tbk, .tdi, .tga, .thmx, .tif, .tiff, .tld, .torrent, .tpl, .txt, .u3d, .udl, .uxdc, .vb, .vbs, .vcs, .vda, .vdr, .vdw, .vdx, .vrp, .vsd, .vss, .vst, .vsw, .vsx, .vtm, .vtml, .vtx, .wb2, .wav, .wbm, .wbmp, .wim, .wmf, .wml, .wmv, .wpd, .wps, .x3f, .xl, .xla, .xlam, .xlk, .xlm, .xls, .xlsb, .xlsm, .xlsx, .xlt, .xltm, .xltx, .xlw, .xml, .xps, .xsd, .xsf, .xsl, .xslt, .xsn, .xtp, .xtp2, .xyze, .xz, .zip

When encrypting a file, Dharma creates a new file named according to the following structure:

<original_file_name>.id-<system_drive_serial_number>.[Biden@cock.li].biden

For example:

C:\$Recycle.Bin\S-1-5-21-383105749-3731635299-3148139564-1000\desktop.ini.id-4AFE57F0.[biden@cock.li].biden

The structure of the encrypted file:

If the size of the encrypted file is more than 1 MB, the file is partially encrypted. The ransomware encrypts only three chunks of 0x40000 bytes.

Ransom note

Dharma extracts ransom notes from itself and saves them in Startup folders:

%AppData%\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

%ProgramData%\Microsoft\Windows\Start Menu\Programs\Startup\Info.hta

The note appears as follows:

Dharma also creates a text file in the root folder of the system drive:

C:\MANUAL.txt

with the following content:

Detection by Acronis

The Dharma ransomware is successfully detected by Acronis.

Conclusion

Unfortunately, the employed encryption scheme with symmetric (AES-256-CBC) and asymmetric encryption (RSA-1024) doesn’t leave victims a chance of decrypting the files without paying a ransom. Dharma ransomware establishes persistence by copying itself to Startup folders and adding references to the autorun keys, and it terminates database processes and services in order to unlock database files. These techniques help attackers to enact more serious damage on infected systems.

IoCs

MD5: 36f3b91b2a6a25482768e7d2879d1f1d

SHA-1: f3333282887287bafa487c211cfda4cbe88c4811

e3ed533612d8066345c6fe7831a4db770ba3a2c5833bad0f27abe545eefaceb8

SHA-256: e3ed533612d8066345c6fe7831a4db770ba3a2c5833bad0f27abe545eefaceb8