Ransomware is now becoming increasingly automated
Unsophisticated Iranian hackers are now attacking company networks with ransomware, a cyber-security firm commented.
The attackers have been using Dharma ransomware “& a mix of publicly available tools” to target companies in Russia, Japan, China & India, cyber-security firm Group-IB said earlier this week.
Dharma ransomware, which is becoming popular with cyber-criminals, is typically installed by hacking into computers over Remote Desktop Protocol Services (RDP), which is a Microsoft-developed technology for connecting to other computers over a network.
First scanning the Internet for computers running RDP, hackers will then try to ‘brute force’ the password by trying multiple passwords & hoping that one eventually works.
When access is obtained, the attackers will install the ransomware, which encrypts the computer & locks out the users. Also, often, the attackers also try to encrypt other network computers.
Dharma, also known as Crysis, has been distributed under a ransomware-as-a-service system since at least 2016. Group-IB further added, “Its source code popped up for sale in March 2020 making it available to a wider audience.”
All the organisations affected by the ransomware had poor credentials, Group-IB commented, so it was relatively easy to access the computers. For instance, using the default RDP port 3389 is not a safe practice, & leaves a computer vulnerable, Group-IB outlined.
The hackers usually asked for a ransom of 1-5 Bitcoins. As of Wed., 1 bitcoin was worth over $11,000.
“The newly discovered hacker group suggests that Iran, which has been known as a cradle of state-sponsored APT groups for years, now also accommodates financially motivated cyber-criminals,” Group-IB said.
“Interestingly, the threat actors likely didn’t have a clear plan on what to do with the compromised networks,” according to Group-IB. The hackers often turned to software sharing websites in order to disable antivirus software.
“For instance, to disable built-in antivirus software, the attackers used Defender Control & Your Uninstaller. The latter was downloaded from Iranian software sharing website,” Group-IB suggested.
Advanced Port Scanner
To scan for accessible hosts in the compromised network, the hackers then used Advanced Port Scanner, another publicly available tool.
“It’s surprising that Dharma landed in the hands of Iranian script kiddies who used it for financial gain, as Iran has traditionally been a land of state-sponsored attackers engaged in espionage and sabotage,” Oleg Skulkin, a Senior Digital Forensics specialist at Group-IB, wrote in the blog.
However, this kind of amateur hacking could become commoner, experts have warned. “Since 2017-2018, the cyber-crime ecosystem has evolved to automate, simplify, & monetise the entire process of breaching companies & deploying ransomware,” ZDNet reported.