A new malicious campaign emerged that conveyed the Dharma ransomware mostly target toward Italian users. The latter, also called CrySIS Ransomware, appeared for the first time in 2016 and over time has evolved into different variations and is increasingly active. As usual, Dharma is distributed as a malicious attachment in emails. In this case, the user receives an e-mail with the subject "Invoice no. 637 of 14.01.20", a link is attached to the e-mail which if clicked will take you to a OneDrive page to download a zip file called "New 2.zip document" containing two files:
- a VBS script "New 2.vbs document'
- an informed jpg file called "yuy7z"
If the user runs the "New 2.vbs document" VBS , several malware payloads will be installed. Furthermore, as reported by the researchers, the ransomware adds the .ROGER extension to the encrypted files and in the ransom note invites the user to contact the address sjen6293@gmail.com to receive payment information.
Dharma Ransomware Signatures
Family: TrojanDownloader:VBS/Nemucod!MTB
MD5: 7ddf5e2956e3a5b1fae49566b351e3cb
SHA256: b76d3577574376f396f68d1922f070294d8428b0a371b217685342d2b7ea8bbb
Dharma Ransomware Download