What is Dharma Ransomware: How to Protect Against It?

Share This:

Dharma ransomware is a type of malicious code that has been used in numerous attacks since 2016. This ransomware, which is believed to be connected to an Iranian threat group, encrypts user data and demands a ransom for the key to decrypt it. In order to gain access, the attackers use Remote Desktop Protocol (RDP) services over TCP port 3389 and attempt to brute-force the password.

The Dharma ransomware attack has been seen in numerous industries, with victims being asked to pay a ransom of 1-5 Bitcoins in order to retrieve their encrypted data. As with any form of a ransomware attack, it’s important that organizations remain vigilant and ensure they have adequate security measures in place in order to protect themselves against such threats.

In particular, Dharma attacks can be prevented by blocking port 3389 which prevents access via RDP. Additionally, it’s important that organizations regularly back up their data as this will enable them to recover from an attack even if they are unable to pay the ransom. Organizations should also consider implementing multi-factor authentication for all users who access their networks remotely as this will help mitigate the risk of a successful brute-force attack.

Overall, Dharma ransomware poses a threat to organizations around the world and should not be taken lightly. By taking the necessary steps outlined above, organizations can better protect themselves from such threats and ensure their data remains secure.

Spread of Dharma Ransomware

Dharma ransomware is a type of malicious software that is spread by hackers gaining access to computers via the Remote Desktop Protocol (RDP) on TCP port 3389. The hackers then exploit any potential vulnerabilities in the system to gain access and spread their ransomware. Once inside the system, Dharma will encrypt users’ files and demand a ransom for the decryption key. It usually spreads through spam emails containing malicious links or attachments, as well as through other malicious websites. Additionally, Dharma can be spread through vulnerable Remote Desktop Protocols that are left open without authentication.

To prevent Dharma from spreading, users should ensure that their RDPs are properly secured with strong passwords and two-factor authentication. Additionally, they should block port 3389 on their firewalls to prevent unauthorized access to their systems and regularly update their antivirus software so it can detect any possible threats. Finally, they should never click on suspicious links or download attachments from untrusted sources.

dharma ransomware
Source: csoonline.com

How Dharma Ransomware Works

Dharma ransomware is malicious software that encrypts the user’s data, rendering it inaccessible until a ransom is paid. It is manually transmitted by attackers who use Remote Desktop Protocol (RDP) services over TCP port 3389 to gain access to a computer. Once they gain access, they brute-force the password and then initiate the encryption process. Ransomware usually uses a combination of symmetric and asymmetric algorithms to encrypt files on the victim’s computer. After encrypting the data, Dharma ransomware drops a ransom note in every folder containing encrypted files, informing victims about how to pay the ransom for getting their data back. If victims don’t pay the ransom within a certain amount of time, their data will be permanently lost.

Does Dharma Ransomware Target Data?

No, Dharma ransomware does not appear to be designed to steal data. In fact, our internal forensic investigations and additional research have not found any evidence that the Dharma ransomware attacks are known to steal data from victims’ networks.

Rather, the main purpose of Dharma ransomware is to extort money from its victims by encrypting their data and demanding a ransom payment in exchange for a decryption key. Although ransomware attacks can lead to stolen data if attackers gain access to a victim’s system, there is no indication that this is the case with Dharma ransomware.

Therefore, while it is still important for all users to take precautions against ransomware attacks, it appears that Dharma ransomware specifically is not designed to steal data from its victims.

Origin of Dharma Ransomware

Dharma ransomware is a type of ransomware-as-a-service (RaaS) that originates from a financially motivated Iranian threat group. It has been available on the dark web since 2016 and is mainly associated with remote desktop protocol (RDP) attacks. The attackers use this ransomware to demand 1-5 bitcoins from targets across a wide range of industries, making it a very lucrative form of malware. Dharma is one of the most well-known and successful ransomware campaigns in the world, so it is important for organizations to be aware of its potential risks.

Removing Ransomware

Ransomware can be removed, but the process is not always straightforward. If the ransomware has encrypted your data, you may need to use a decryption tool to regain access. Manual removal of the malware is only recommended for computer-savvy users and should be done with extreme caution. Additionally, you can use antivirus software to automatically detect and remove malicious files. However, it’s important to note that even after removing the malware, there could still be security risks associated with the infection. Therefore, it’s best to take precautionary measures such as regularly backing up your data in case of an attack.

Can Ransomware be Removed by Resetting?

Yes, resetting your machine can be an effective way to remove ransomware. When you reset your machine, any infected files will be erased, leaving your machine in a clean state. This is particularly helpful if the ransomware only targeted certain file types, such as Office files. However, it’s important to note that resetting your machine will not help if the ransomware has spread to other parts of the system. In this case, you may need additional steps to remove the ransomware. Additionally, even if the reset successfully removes the ransomware, it’s still important to exercise caution going forward and back up important files regularly in order to protect against future attacks.

dharma ransomware
Source: calmatters.org

The Most Notable Ransomware Attack

The most famous ransomware to date is WannaCry. It was first released in May 2017 and quickly spread to more than 150 countries, infecting over 200,000 computers. WannaCry employed a dual-stage attack, including an encryption mechanism that held the victims’ data for ransom and a worm-like propagation feature that allowed it to quickly spread across networks. It was also the first ransomware to use a public-key cryptography system for encrypting files, making it difficult for victims to recover their data without paying the ransom. As a result of its widespread damage and its use of sophisticated techniques, WannaCry is considered one of the most dangerous malware attacks in history.

Top 5 Targets of Ransomware

1. Banking and Financial Services: Banks and financial institutions are the most common targets of ransomware attacks due to their large amounts of sensitive data and their reliance on digital systems. These organizations are also attractive targets because they typically have the resources to pay ransoms.

2. Healthcare: Healthcare organizations may be targeted due to their large amounts of highly sensitive patient data, which is extremely valuable to attackers. They also have limited IT security budgets, making them vulnerable to attack.

3. Education: Schools and universities are often targeted because they store large amounts of personal student data, from grades to social security numbers, which can be used for identity theft or other malicious activities. Additionally, many school systems operate on outdated software or hardware that lacks proper security measures.

4. Government: Governments are attractive targets for ransomware attackers due to the high-value data that is stored in their networks, as well as the potential disruption caused by a successful attack. Governments around the world have been targeted by ransomware attacks in recent years, with some even paying out ransoms in order to avoid significant disruptions or loss of sensitive information.

5. Retailers: Retail businesses are attractive targets for ransomware attackers due to the high volumes of customer data that are stored within their networks, as well as the potential for disrupting operations and causing financial losses if a successful attack occurs.

The Number One Ransomware Threat in the Cybersecurity Industry

The legal industry is the number one ransomware threat, with 92% of organizations in the sector having been affected by a ransomware attack. This is followed by financial services (78%), manufacturing (78%), and human resources services (77%). Other industries at risk include healthcare, education, government, retail, hospitality, and more.

Ransomware attacks have become increasingly sophisticated over time and are now targeting specific organizations in order to maximize their profit. Once an organization is infected, attackers can encrypt valuable data and demand a ransom payment in exchange for its release. If a ransom is not paid, the data could be permanently lost. As such, it is important for organizations to take proactive measures to protect themselves against ransomware threats. This includes regularly backing up data and maintaining strong cyber security measures such as robust firewalls, antivirus software, and employee security training.


In conclusion, Dharma ransomware is a form of ransomware-as-a-service (RaaS) that is used by financially motivated Iranian threat groups. The attackers gain access to the victim’s computer through Remote Desktop Protocol (RDP) services on TCP port 3389 and then use brute force to guess the password. Once inside, they encrypt user data and demand a ransom in exchange for the decryption key. Fortunately, there is no evidence of data theft during the Dharma ransomware attacks. To protect yourself from Dharma ransomware, it is recommended to shut down port 3389, regularly back up your data, and practice good password hygiene.

Share This:
Photo of author

James Walker

James Walker has a deep passion for technology and is our in-house enthusiastic editor. He graduated from the School of Journalism and Mass Communication, and loves to test the latest gadgets and play with older software (something we’re still trying to figure out about himself). Hailing from Iowa, United States, James loves cats and is an avid hiker in his free time.