Ransomware infects victims by masking itself with anti-virus software

This successful family of ransomware called Dharma first emerged in 2016 and has been responsible for a number of high-profile cyber incidents. It has been terrorising organisations around the world and has recently released a new approach tempting victims to install file-locking malware pretending to be anti-virus software.

The group behind Dharma regularly update their campaigns in order to keep the attacks effective and to achieve the best chance to trigger ransom payments in exchange for decrypting locked networks and files of Windows systems. Dharma now has further developed their cyber-attacks by bundling it inside a fake anti-virus software installation. It starts off with phishing emails. The messages claim to be from Microsoft and that the victim's Windows PC is 'at risk' and 'corrupted' following 'unusual behaviour', urging the user to 'update and verify' their anti-virus by accessing a download link. If the user follows through, the ransomware retrieves two downloads: the Dharma ransomware payload and an old version of an established anti-virus software from a cyber security company.

At the time the self-extracting archive runs, Dharma begins encrypting files in the background. The user is asked to follow installation instructions for ESET AV remover. This interface is displayed on the user's desktop and requires interaction during the installation process on order to distract from the malicious activity. Once the installation is complete, the victim is confronted with a ransom note, demanding a cryptocurrency payment in exchange for unlocking the files.

It describes a well-known practice for malware to be bundled with legitimate applications. Any application could be used this way. Ransomware still remains a threat to organisations as attackers continue to develop and deploy new tactics and approaches of the file-locking malware. Malicious actors are still trying to upgrade old threats and use new techniques. Ransomware remains a costly and versatile threat. To avoid falling victim to cyber security threats, it is always recommended that organisations keep good cybersecurity hygiene such as securing email gateways, regularly backing up files, and keeping systems and applications patched and updated.