Security researchers are currently on high alert following the discovery that the source code of Dharma, one of today’s most profitable ransomware-as-a-service (RaaS) strains, has been up for sale on a few hacker forums.
On Wednesday, March 29, technology news website ZDNet reported about the incident, revealing that the source code has popped up on two Russian hacker forums at a low price of $2,000. According to ransomware experts, this development could increase the strain’s threat level, especially when brought into the hands of more cybercriminals.
“The seller is literally just selling the source code. There are none of the infrastructures, like control panels and regular software updates, that comes with a typical RaaS program. But that doesn’t mean this won’t cause a lot of damage,” Allan Liska, an intelligence analyst, told SC Magazine.
“When the source code for the Hidden Tear [open-source ransomware] was released on GitHub in 2015 it was widely copied and there were more than a dozen ransomware families created based on the code,” he added.
First discovered in 2016, the Dharma ransomware has been identified by the FBI to be the second most lucrative ransomware operation in recent years, collecting about $24.48 million from victims between 2016 to 2019.
During its early launch, the strain was initially given the name CrySiS and was created to enable other criminals to launch their own versions of the ransomware. Later, after decryption keys of the strain has been published online, the author of CrySiS rebranded and took on the name of Dharma.
A few months later, the decryption keys of Dharma had been published once again. However, to date, newer versions of the strain with more advanced and complex encryption schemes are being used by threat actors and have been unencryptable since then.
“Dharma has none of the encryption flaws that Hidden Tear had, which means if multiple threat actors do adopt and update the code, it could wreak havoc, and if someone decides to publish the code in a public code repository it will be even worse,” Liska warned.
However, while the threat of having more cybercriminals gain access to the ransomware remains, some security researchers say that this development could also help them gain information about the ransomware and might even lead them to produce newer decryption keys.
“If we can get our hands on the source, we might be able to find some flaws,” Jakub Kroustek, threat intel lead at Avast, told ZDNet.