Famous Dharma Ransomware disguised as AntiVirus Software

December 14, 2019
dharma ransomware malware

The successful ransomware variant known as Dharma has been upgraded and is now able to disguise itself as legitimate Antivirus software to dupe its victims, according to a new cyber technology research.

Dharma was first spotted in the wild in 2016 and has since claimed dozens of healthcare victims. In April 2017, Texas-based ABCD Pediatrics became one of the first reported Dharma victims, which was followed by East Central Kansas Area Agency on Aging in November.

The latest reported incident occurred in September when the virus took down Texas-based Altus Baytown Hospital. The cybercriminals hacked in the health system’s servers before launching the Dharma virus and encrypting servers containing patient files.

The group behind Dharma continuously modifies the virus to avoid detection. The virus was recently modified to be manually installed by hackers from the Remote Desktop Services connected to the internet.

The latest Dharma variant is now being bundled with phony antivirus software. The ransomware delivery follows the typical method through phishing emails. The emails are disguised to look as if they’re sent from Microsoft, warning the user the account is at risk and corrupted after some unusual behavior.

The user is then asked to verify and update their AV software through a downloaded link. According to the report, if the user follows the instructions, the ransomware will retrieve the payload and an outdated version of AntiVirus software from ESET, a cybersecurity company.


Once the self-extraction begins, the virus will begin the file encryption in the background. Simultaneously, the screen will ask the user to follow the installation instructions for the ESET AV remover, which is what makes the new Dharma variant so convincing.


Security researchers explained that the design is meant to distract the user with the installation interface displayed on the desktop, which requires user interaction. But once the install completes, instead of AV software, a ransom note will appear.

The ransomware will run even if the tool installation is not triggered, and the tool can be installed even if the ransomware does not run, the researchers said. The installation process seems included just to trick users into thinking no malicious activity is going on. The malware runs on a different instance than the software installation, so their behavior is not related.

Cybercriminals have a history of abusing authentic tools, and this recent Dharma tactic of using an installer as a diversion or screen of legitimacy is simply another method [with which] they are experimenting, they added. As malware authors continue to adopt layered evasion tactics and malicious techniques, users also have to adopt stronger and smarter security solutions to protect their assets.


About the author

Leave a Reply