September 1, 2020
Unsophisticated Iranian hackers are attacking company networks with ransomware, a cybersecurity firm said.
The attackers have been using Dharma ransomware “and a mix of publicly available tools” to target companies in Russia, Japan, China and India, cybersecurity firm Group-IB said earlier this week.
Dharma ransomware, which is gaining popularity with cybercriminals, is typically installed by hacking into computers over Remote Desktop Protocol Services (RDP) – a Microsoft-developed technology for connecting to other computers over a network.
After scanning the Internet for computers running RDP, hackers will then try to brute force the password – trying multiple passwords hoping that one eventually works.
Once access is gained, the attackers will install the ransomware, which encrypts the computer and locks out the users. Often, the attackers also try to encrypt other computers on the network.
Dharma, also known as Crysis, has been distributed under a ransomware-as-a-service model since at least 2016. Group-IB added, “Its source code popped up for sale in March 2020 making it available to a wider audience.”
All the organizations hit by the ransomware had weak credentials, Group-IB said, meaning that it was relatively easy to access the computers. For example, using the default RDP port 3389 is not a safe practice and leaves a computer vulnerable, Group-IB explained.
The hackers typically demanded a ransom between one and five Bitcoin. As of Wednesday, one bitcoin was worth over $11,000.
“The newly discovered hacker group suggests that Iran, which has been known as a cradle of state-sponsored APT groups for years, now also accommodates financially motivated cybercriminals,” Group-IB said.
“Interestingly, the threat actors likely didn’t have a clear plan on what to do with the compromised networks,” according to Group-IB. The hackers often turned to software sharing websites in order to disable antivirus software.
“For instance, to disable built-in antivirus software, the attackers used Defender Control and Your Uninstaller. The latter was downloaded from Iranian software sharing website,” Group-IB said.
To scan for accessible hosts in the compromised network, the criminals used Advanced Port Scanner, another publicly available tool.
“It’s surprising that Dharma landed in the hands of Iranian script kiddies who used it for financial gain, as Iran has traditionally been a land of state-sponsored attackers engaged in espionage and sabotage,” Oleg Skulkin, a senior digital forensics specialist at Group-IB, wrote in the blog post.
However, this kind of amateur hacking could become more prevalent, experts have warned. “Since 2017-2018, the cybercrime ecosystem has evolved to automate, simplify, and monetize the entire process of breaching companies and deploying ransomware,” ZDNet reported.