Analysis of a Dharma Ransomware Incident

Cristian Cornea
5 min readAug 16, 2020
(Dharma Ransom note)

In this article, we are going to discuss and analyze the methodology behind an infection with the Dharma ransomware.


The ransomware from the Dharma family dates back to 2016, but different and more complex variants were developed and released over time. Later analysis concluded that Dharma evolved from the CrySIS family, which was released in early 2016.

(CrySIS Ransom Note)

CrySIS was launched as a RaaS (Ransomware-as-a-Service), and probably it was one of the first such operations. Through a Ransomware-as-a-Service model, developers can distribute customizable ransomware samples to customers, where they can create their personalized variants and versions.

Everything went great for the CrySIS distributors and customers until the decryption keys were leaked later that year (2016), which broke the entire scheme because the keys were the same for all the versions and variants of the ransomware.

This didn’t stop the developers, and a new RaaS was released some weeks later, but under another name of “Dharma”, which is an Indian religious term referring to the aspect of truth or reality (it has multiple meanings).



Cristian Cornea

🇷🇴 Founder: Zerotak Security | Cyber Security Training Centre of Excellence (CSTCE) | | BSides Transylvania