Rewterz Threat Advisory – New ‘Brrr’ Variant of Dharma Ransomware released

A new variant of the Dharma Ransomware has been identified that appends the .brrr extension to encrypted files.

IMPACT:  CRITICAL

PUBLISH DATE:  17-09-2018

OVERVIEW

The new variant Brrr of the Dharma ransomware is dropped by hacking Remote Desktop services that are directly connected to the internet. After encryption, it sends two ransom notes explaining how to proceed with payments.  Unfortunately, there is no free way to decrypt files infected with the Dharma Brrr Ransomware variant. Therefore, taking precautions is extremely important.

ANALYSIS

This Brrr variant along with the entire Dharma ransomware family needs manual installation by attackers who hack into Remote Desktop Services connected directly to the Internet. These attackers scan the internet to find the computers running RDP, usually on TCP port 3389, and then attempt to gain access of the computer through brute force. Known credentials can also be bought from some underground sites for publicly available computers that run remote desktop services.

Once having the access, they can install the ransomware which will proceed to encrypt the computer. The Brrr variant will append an extension in the format of .id-[id].[email].brrr when encrypting a file. For example, a file called test.jpg would be encrypted and renamed to test.jpg.id-BCBEF350.[paydecryption@qq.com].brrr.

Mapped network drives, shared virtual machine host drives, and unmapped network shares can be the potential target. Therefore, securing your network’s shares from unauthorized access is important.

This variant creates two different ransom notes on the targeted computer. One is the Info.hta file launched by an autorun when a user logs into the computer.  The HTML version of the ransom note can be seen below.

It says:

“All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paydecryption@qq.com

Write this ID in the title of your message [id]

In case of no answer in 24 hours write us to these e-mails: paydecryption@qq.com

You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.

Free decryption as guarantee

Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non-archived), and files should not contain valuable information. (databases, backups, large excel sheets, etc.)

How to obtain Bitcoins

The easiest way to buy bitcoins is Local Bitcoins site. You have to register, click ‘Buy bitcoins’, and select the seller by payment method and price.

https://localbitcoins.com/buy_bitcoins

Also, you can find other places to buy Bitcoins and beginners guide here:

http://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention! Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss.”

The other note is called FILES ENCRYPTED.txt and can be found on the desktop.

Both of the ransom notes communicate what has happened to the files and how to proceed for getting them decrypted.

The ransomware configuration will automatically execute it when you log-in to Windows, attempting to encrypt any new files created since the last execution.

INDICATORS OF COMPROMISE

MITIGATION

• Always keep a reliable and tested backup of your data elsewhere.
• Remote Desktop services should be locked down correctly.
• No computers running remote desktop services should be connected directly to the Internet. Instead, connect them through VPN.
• Enforce strict policies for account lock out to save it from brute force.
• Install good quality security software that tracks behavioral changes.
• Be cautious while handling email attachments. Only trust attachments from verified sources and use document scanner to search for viruses before downloading it.
• Make sure all software are updated to avoid all security vulnerabilities coming from outdated software.