Ransomware poses as anti-virus software to infect victims

A successful family of ransomware called Dharma is now trying to infect victims by posing as anti-virus software. Specifically, the malware presents itself as an old version of security company ESET.

Dharma first appeared in 2016 and is responsible for several major incidents, including the encryption of a hospital network in Texas last year, reports ZDNet. The group behind Dharma updates its campaigns regularly to ensure that the attacks remain effective and continue to provide the best opportunity to collect ransom in exchange for decrypting networks and files on Windows systems.

Operation

The cyber-attacks have now been updated again. Dharma is now starting with phishing emails, which claim to be from Microsoft. The mail states that the user’s Windows PC is at risk and “damaged” due to “unusual behavior”. The user is then advised to “update and verify” their anti-virus software via a download link.

If the user clicks on that link, the ransomware retrieves two downloads. First of all, that’s the payload of the Dharma-ransomware. In addition, an old version of anti-virus software from security company ESET will be downloaded. As soon as the files are automatically extracted, Dharma starts encrypting files in the background.

The user is prompted to follow the installation instructions for ESET AV remover. The interface is shown on the desktop and requires interactions from users during the installation process. In this way, the user is distracted from the malicious activity. Once the installation is complete, the user will find a message requiring a ransom in the form of a crypto currency in exchange for releasing the files.

Appearance

Researchers advise organizations to adopt good cybersecurity hygiene to prevent them from falling victim to Dharma and similar threats. This includes securing e-mail gateways, making regular backups and keeping systems and applications up to date.