An unidentified party has reportedly placed the source code for Dharma ransomware up for sale on at least two Russian hacker forums, adding a formidable new competitor to an already crowded underground market.
And while cybercriminals have met the offer with some healthy skepticism, the bargain-basement selling price of $2,000 may be alluring enough for prospective buyers to take their chances, said Allan Liska, Recorded Future intelligence analyst, in an interview SC Media on Monday.
"No one questions whether the code is real. Instead, the question is whether or not the seller is part of the group behind [the] Dharma/Phobos ransomware families," said Liska. (Phobos is a recent variant of Dharma.)
Liska said that on one of the cybercrime forums featuring the offer, "most members" suspect the code may be an older version of the malicious encryptor, perhaps salvaged from repository or a data leak. And some users from other forums monitoring the sale have drawn the same conclusion.
"The group behind Dharma is very good about keeping their code updated and fixing flaws that prevent it from encrypting files and demanding the ransom," Liska explained. "If this code is three, six, nine months old, how well will it still work?"
A ZDNet report on the sale of Dharma source code includes a screenshot of a March 28 forum post that is written in broken English and hard to comprehend. "Included is a completely ready-made code for C, decryptor, a simple console keygen as a bonus," said the poster, noting that the "code has been lying idle for 3 months, completely repulsed itself and worked. The other day I came across him and decided to sell."
Despite their misgivings, some potential buyers may give it a shot because the price tag is appealing, especially for a ransomware program with a sophisticated encryption process that has not been broken by security researchers. The forum seller is only offering the source code, not a more comprehensive ransomware-as-a-service offering. But joining an RaaS affiliate program for a similar quality ransomware would normally cost three-to-five times as much as what Dharma is currently being sold for, said Liska.
"The seller is literally just selling the source code. There is none of the infrastructure, like control panels and regular software updates, that comes with a typical RaaS program. But that doesn't mean this won't cause a lot of damage," said Liska. "When the source code for the Hidden Tear [open-source ransomware] was released on GitHub in 2015 it was widely copied and there were more than a dozen ransomware families created based on the code."
"Dharma has none of the encryption flaws that Hidden Tear had, which means if multiple threat actors do adopt and update the code, it could wreak havoc, and if someone decides to publish the code in a public code repository it will be even worse."
John Fokker, head of cyber investigations at McAfee, told ZDNet that the Dharma code was actually making the rounds among the hacker underground even before they landed on the two aforementioned Russian forums.
Dharma is a descendant of CrySiS ransomware, which emerged in 2016. At the 2020 RSA Conference in San Francisco, the FBI reportedly identified Dharma as the second most lucrative ransomware behind Ryuk, generating $24m between November 2016 and November 2019.
