Dharma Ransomware Source Code Shows up for Sale on Hacking Forums

The source code of one of the significant ransomware – Dharma – was put up for sale on two Russian hacker forums recently. The FBI ranked the Dharma ransomware as the second most lucrative malware operation of this kind at the RSA security conference, with more than $24 million in profits for cybercriminals. Victims made these payments to the ransomware-wielding criminals in three years.

Now the source code is up for sale for the low price of $2000, which is making security researchers worried. The Dharma ransomware may be on sale thanks to a leak on the public internet and a wider audience, which means a broader proliferation among cybercriminals and a surge of attacks using it in the future.

The reason for the current worry is the advanced encryption employed by the Dharma ransomware, which has remained impossible to decrypt since 2017. The only times the ransomware-affected files were decrypted was when the hackers using it released master decryption keys. There were no encryption flaws to take advantage of so far.

The origins of the Dharma Ransomware

Dharma didn't always carry that name, as it was initially known as CrySiS back in the summer of 2016. CrySiS was an operation that worked as a ransomware-as-a-service. That allowed the customers (in this case, criminals) to generate their versions of the ransomware to spread to victims. It was often done via exploit kits, spam campaigns, and brute-force attacks on vulnerable RDP ports.

After someone leaked the master decryption keys of CrySiS in November 2016, the malware relaunched under the new Dharma name two weeks later. Although some of the Dharma master decryption keys were also leaked in March 2017, the Dharma operators avoided rebranding their malware and continued operations. They managed to turn their service into one of the most significant operations in the cybercriminal underworld.

New Dharma versions appeared in the years since, as the ransomware gets updates and new customers are spreading it all over the world, with each of them having their unique Dharma variant due to the nature of the service.

The ransomware mass distribution was done via email spam, but it also involved targeted attacks. A new ransomware strain called Phobos appeared in the spring of 2019, with security researchers noticing the nearly identical similarities with Dharma. The appearance of Phobos didn't slow down Dharma. Both variants have been active ever since, with more or less equal distribution.

Phobos is also known as Phobos NextGen or Phobos NotDharma. It was observed in 2017 for the first time, with more news coming in 2019 as it started exploiting weak security online to attack users, large companies and more, since businesses made for more lucrative targets.