The source code of the infamous Dharma ransomware has become available for sale on two Russian-language hacking forums over the weekend, ZDNet reports. The malware source code is selling for up to $ 2,000 raising concerns in cybersecurity community.
The Dharma ransomware was first spotted in February 2016, at the time it was known as CrySis. Its operators were spreading the ransomware via email attachments with double file extensions or through malicious links embedded in spam emails. The infections were seen in Russia, Japan, South and North Korea, and Brazil.
After the master decryption keys for CrySis appeared online in November 2016, the CrySiS RaaS was re-launched under the name of Dharma.
The reason why the security experts are worried is that “the sale of the Dharma ransomware code would most likely result in its eventual leak on the public internet, and to a wider audience”.
“This, in turn, would result in the broader proliferation among multiple cybercrime groups, and an eventual surge in attacks,” ZDNet wrote.
“The reason for everyone's worries is that Dharma is an advanced ransomware strain, created by a knowledgeable malware author. Its encryption scheme is very advanced, and has been undecryptable since 2017”.
Over the years numerous versions of the Dharma malware emerged, and in 2019 researchers spotted a new piece of ransomware dubbed Phobos, which “was quite identical” to the Dharma ransomware.
Both ransomware families remained active over 2019 with Dharma amounting for 9.3% of ransomware incidents in Q4 2019, while Phobos’ share was 10.7% of infections.