A group of “newbie” Iranian hackers have been blamed for attacks using the Dharma ransomware variant on targets in Russia and Asia.
The threat actors’ relative inexperience was highlighted by several characteristics of the attacks against companies in Russia, Japan, China and India, according to Group-IB.
First is the choice of a ransomware-as-a-service model employed by Dharma (aka Crysis) and publicly available IP scanning tool Masscan. They also used NLBrute to brute-force their way through weak RDP credentials and to check the validity of obtained credentials on other accessible hosts in the network.
“Interestingly, the threat actors likely didn’t have a clear plan on what to do with the compromised networks. Once they established the RDP connection, they decide on which tools to deploy to move laterally. For instance, to disable built-in anti-virus software, the attackers used Defender Control and Your Uninstaller,” the security firm continued.
“To scan for accessible hosts in the compromised network, threat actors used Advanced Port Scanner — another publicly available tool. After the network reconnaissance activities were completed, the adversary used collected information to move laterally though the network using the RDP protocol.”
The group also demanded a relatively small ransom of 1-5 BTC.
Senior digital forensics specialist, Oleg Skulkin, argued that in spite of the use of fairly common TTPs, the group appears to have been quite effective.
“It’s surprising that Dharma landed in the hands of Iranian script kiddies who used it for financial gain, as Iran has traditionally been a land of state-sponsored attackers engaged in espionage and sabotage,” he added.
Group-IB recommended organizations change the default RDP port from 3389 to another, and enable account lock-out policies to tackle brute-force attempts, as well as invest in intrusion detection tools to spot unusual behavior inside the network.