Analysis of a Dharma Ransomware Incident

Cristian Cornea
5 min readAug 16, 2020
(Dharma Ransom note)

In this article, we are going to discuss and analyze the methodology behind an infection with the Dharma ransomware.


The ransomware from the Dharma family dates back to 2016, but different and more complex variants were developed and released over time. Later analysis concluded that Dharma evolved from the CrySIS family, which was released in early 2016.

(CrySIS Ransom Note)

CrySIS was launched as a RaaS (Ransomware-as-a-Service), and probably it was one of the first such operations. Through a Ransomware-as-a-Service model, developers can distribute customizable ransomware samples to customers, where they can create their personalized variants and versions.

Everything went great for the CrySIS distributors and customers until the decryption keys were leaked later that year (2016), which broke the entire scheme because the keys were the same for all the versions and variants of the ransomware.

This didn’t stop the developers, and a new RaaS was released some weeks later, but under another name of “Dharma”, which is an Indian religious term referring to the aspect of truth or reality (it has multiple meanings).

In March 2020, the Dharma source code has been put on sale for only $2,000 through multiple hacking forums.

Enough talking… let’s get to the fun part.

Infected Environment & Initial Compromise

The target network was an Active Directory infrastructure of an SMB. And who says that small businesses are not targeted too?

Can you guess the main cause? Hint: 3 characters.

Exactly… RDP (Remote *Devil* Protocol) compromise.

Can it be worse? Unfortunately, the answer is “yes”, it can be A LOT worse, and you know why? Because they didn’t hack into a normal workstation of an employee, they got into the Domain Controller (DC) through RDP, and yes you read correctly.

Why did this happen? Well, there were policies, procedures, and security best practices in place, but some…



Cristian Cornea

🇷🇴 Founder @ Zerotak Security & Cyber Security Training Centre of Excellence (CSTCE)