Tuesday, May 14, 2019

New Version of Dharma Ransomware Masquerades as ESTV Anti-Virus Attached to a Warning Email


In the never ending battle against malware, there is a new variant in the Ransomware realm.  The malware itself, called Dharma, has been around for a while, but what is different this time around is how the payload is delivered.  

Usually with Ransomeware there is some type of user action required to get it installed.  Often it is some type of  phishing email that tricks the user into opening a file which then installs Dharma.  This time the perpetrators have tried something even more nefarious.  The user receives an email that appears to be from a trusted source such as Microsoft and warns the user that their “computer is at risk”.  It makes some type of doom and gloom threat of how you have been infected and the only way to fix it is to download and install a new antivirus software.

The email looks and reads very legit and fools the recipient into downloading and double clicking the file.  What happens next is the antivirus (which is an old version of an actual AV software) begins to install and at the same time the Dharma ransomware is also installing.  Since the user thinks the AV software is making beneficial changes to the computer they don’t think twice about windows opening & closing, etc.  Unfortunately when the process is over, the user is faced with a screen informing them of the Ransomware and the way they can pay to get their data unencrypted.

This a true instance of good social engineering.  They attempt to catch you off guard, provide a very strong threat that must be acted upon immediately, and disguise their tracks with the AV install.  The entire time the user is in actuality doing the bad guys job for them.

The moral to the story is NEVER open a file you are not expecting and always do research about these types of problems by searching Google or another reputable search engine.  Vigilance is important to prevent these types of disasters!

Trendmicro was the company that discovered this new variation.  You can read their blog post about it here.  

No comments:

Post a Comment