FortiGuard Labs’ ransomware roundup analyzes CrySIS/Dharma variants and their ongoing evolution, highlighting how new versions continue to appear under different operators. It outlines infection vectors (exposed RDP and phishing), execution details (startup persistence and MSHTA usage) and recommended Fortinet protections. #CrySIS #Dharma #RDP #MSHTA #Infohta
Keypoints
- CrySIS/Dharma is a long-running ransomware family that operates asRansomware-as-a-Service (RaaS), with multiple variants due to leaked source code.
- Infection vectors include exposed Microsoft Remote Desktop Protocol (RDP) servers and phishing attachments masquerading as legitimate software (including AV vendors).
- Post-infection behavior includes setting the console to codepage 1251 to support Cyrillic languages and deleting shadow copies to hinder recovery.
- Persistence is achieved by copying a second copy of the ransomware to the Startup folder, ensuring execution on restart.
- All user files (excluding system files) are encrypted, with ransom notes and a unique victim ID displayed to the user.
- IOCs include multiple SHA-256 file hashes and dropped files like Info.hta and info.txt across various locations on the host.
MITRE Techniques
- [T1021.001] Remote Services – Exposed Microsoft Remote Desktop Protocol (RDP) servers used to gain initial access. Quote: ‘exposed Microsoft Remote Desktop Protocol (RDP) servers.’
- [T1566.001] Phishing – Delivered via phishing attachments masquerading as installation files for legitimate software, including AV vendors. Quote: ‘phishing with attachments disguised as installation files for legitimate software, including AV vendors.’
- [T1218.005] Signed Binary Proxy Execution: Mshta – Uses MSHTA to process and display a ransom note. Quote: ‘The malware launches the Microsoft HTML Application (MSHTA) to process and display a file called “Info.hta”.’
- [T1547.001] Boot or Logon Autostart Execution – Copies itself to the Startup folder to ensure execution after restart. Quote: ‘an additional copy of the ransomware is copied to the host’s “~AppDataRoamingMicrosoftWindowsStart MenuProgramsStartup” folder to ensure it runs in the event the system is restarted before encryption has occurred.’
- [T1486] Data Encrypted for Impact – All files of interest are encrypted. Quote: ‘All files of interest, such as personal and operational documents (it does not touch system files), are then subjected to encryption.’
- [T1490] Inhibit System Recovery – Deletes shadow copies to hamper recovery. Quote: ‘it also deletes shadow copies of the system to hamper any attempts at recovery.’
Indicators of Compromise
- [SHA256] File-based IOCs – 419bc8196013d7d8c72b060da1a02d202d7e3eb441101f7bcb6d7667871a5c16, 5c2fb1c42f007093be5e463f70ee7e7192990b3385a3cbcc71043980efa312e0, 6a0017262def9565b504d04318c59f55bea136ac3dd48862d1ae90ff6b963811, b557bf11d82d3d64d028a87584657d25dba0480295ed08447f10c7a579dee048, b3984a2de76eee3ad20c4b13e0c0cbbab2dd6db65e3f6ca34418e79c21cf5c39, e9253218e30b30c8bb690b2ab02eef47b8b5c8991629d814b2af6664151e9a2f
- [File name] Info.hta – Info.hta file dropped and stored in multiple locations; it contains HTML ransom details.
- [File name] info.txt – info.txt containing contact instructions; dropped at C:, C:UsersPublicDesktop, and C:UsersDesktop.