Iranian hackers target international companies with Dharma ransomware

Companies in Russia, China, India, and Japan hit by Dharma ransomware with ransom demands of 1-5 Bitcoin

Iranian hackers target international companies with ransomware threat. The group of hackers released a new campaign^[1] involving a well-known Dharma ransomware threat.^[2] Security form Group-IB identified cybercriminals as low-skilled attackers and claim they are working from Iran.^[3] Hackers aim to encrypt files and get payments from victims by exploiting RDP servers, so the payload of cryptovirus can be launched.

Using publicly available tools, hackers, aim to affect various companies in Russia, Japan, India, and China. However, experts claim that these criminals are money-driven but non-sophisticated and new to this field of serious cybercrime. Especially, when the ransom demand only goes up to $50,000, which is pretty much half of the amount typically asked from businesses and enterprises.

Researchers identified this cybercriminal group in June when the incident at the company in Russia was investigated. During the forensic analysis, attackers were identified as Persian-speaking hackers, supposedly new to the field.

Open-source tools used to find exposed RDP connections

Victims of this threat were found by scanning the IP address ranges. During the process, particular exposed remote desktop connections get found and can be used to break on the network. Also, tools like Masscan, an open-source port scanner, can be employed at this stage of the attack.^[4]

Then the brute-force attack with NLBrute utility can list RDP passwords and find a combination that works. Various security vulnerabilities can also be exploited, especially when it comes to Windows operating systems. It is a common feature and method used for spreading ransomware threats around.^[5]

The conclusion about the lack of experience based on steps of the attack

Researchers investigating this Dharma ransomware campaign state that the lack of confidence in some of the operations indicates the “newbie hacker” behind this campaign. Low sophistication level, simple tactics, and publicly-available hacking tools employed to achieve the infection make researchers believe that the attacker is not experienced. Even though, there is no particular number of victims affected by the threat.

Interestingly, the threat actors likely didn’t have a clear plan on what to do with the compromised networks. Once they established the RDP connection, they decide on which tools to deploy to move laterally.

Dharma ransomware operators provide a toolkit that allows anyone to become a cybercriminal, so it is not a surprise that random individuals aimed to deploy the file-encrypting malware for the purpose of gaining money. The source code for this ransomware was leaked back in march so that explains the rider use of the particular extortion-based virus strain.

The association with Iranian hackers and ransomware is not that common. Typically, hackers aim go gain sensitive information, groups are mainly state-sponsored^[6] and select different targets.

It’s surprising that Dharma landed in the hands of Iranian script kiddies who used it for financial gain, as Iran has traditionally been a land of state-sponsored attackers engaged in espionage and sabotage.