Content, Channel partners, Content, Ransomware

Sophos: Dharma Ransomware-as-a-Service Targets SMBs

Tip Sheet:
Tip Sheet: How to stop a ransomware attack against your MSP business

Cybercriminals are increasingly using Dharma ransomware-as-a-service (RaaS) attacks against small and medium-sized businesses (SMBs) this year, according to British cybersecurity company Sophos. During these attacks, hackers are leveraging various iterations of Dharma source code that have been dumped online or offered for sale.

Approximately 85 percent of Dharma attacks against SMBs in 2020 have been used to expose access tools like remote desktop protocol (RDP), ransomware recovery company Coveware reported. In addition, the average Dharma ransom demand was $8,620; comparatively, the average ransom payment in the first quarter of 2020 was $44,021, Coveware stated.

How Do Dharma RaaS Attacks Work?

Dharma represents "fast-food franchise ransomware," due to the fact that it uses a mass-market, service-based business model, Sophos Senior Threat Researcher Sean Gallagher said. As such, Dharma has quickly become one of the world's most profitable ransomware families — and a top choice to use against SMBs.

Cybercriminals frequently use open-source tools and freeware versions of commercial tools during Dharma attacks, Sophos noted. They also may leverage a menu-driven PowerShell script that installs and launches components required to spread Dharma across an SMB's network.

Furthermore, Dharma attacks use a complex decryption process, Sophos said. After a victim pays a Dharma ransom and requests a recovery key, it is given a tool that extracts the details of any encrypted files. Next, a second decryption key is provided to the victim.

How to Guard Against Dharma Attacks

Sophos offered the following recommendations to help SMBs guard against Dharma attacks:

  • Deactivate Internet-facing RDP.
  • Ensure all network devices receive regular security updates.
  • Back up data to an offline storage device.
  • Watch for the warning signs of a ransomware attack.

There is no "single silver bullet" for cybersecurity, Sophos stated. But, with a layered security model, SMBs are well-equipped to identify and address ransomware and other cyberattacks before they cause long-lasting damage.

Dan Kobialka

Dan Kobialka is senior contributing editor, MSSP Alert and ChannelE2E. He covers IT security, IT service provider business strategies and partner programs. Dan holds a M.A. in Print and Multimedia Journalism from Emerson College and a B.A. in English from Bridgewater State University. In his free time, Dan enjoys jogging, traveling, playing sports, touring breweries and watching football.