{
	"id": "d52ad785-a9d0-47a5-9404-7fb53e121344",
	"created_at": "2026-04-06T00:19:05.930701Z",
	"updated_at": "2026-04-10T03:21:40.945949Z",
	"deleted_at": null,
	"sha1_hash": "34a785482ebd4dfa32ec8c33acb326120a10ea1a",
	"title": "The Little Ransomware That Couldn’t (Dharma) - The DFIR Report",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 309663,
	"plain_text": "The Little Ransomware That Couldn’t (Dharma) - The DFIR\r\nReport\r\nBy editor\r\nPublished: 2020-06-16 · Archived: 2026-04-05 13:15:14 UTC\r\nRansomware continues unabated in the year of continually mounting pressure. But for every big game actor out\r\nthere compromising Fortune listed companies there are the little guys that maybe just aren’t as skilled.\r\nInitial access:\r\nThreat actor logged in from 217.138.202.116 as a local admin at 0858 UTC.\r\nReconnaissance:\r\nThe threat actor brought their own enumeration and pivoting tool set NS.exe. We’ve seen this tool used time and\r\ntime again to scan and map file shares. Executed at 0936 UTC. \r\n%USERPROFILE%\\Desktop\\Oc\\NS.exe\r\nAction on Objectives:\r\nFirst was the execution of a bat file called shadow.bat, which deletes shadow files\r\nhttps://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/\r\nPage 1 of 9\n\nvssadmin delete shadows /all\r\nSeconds later logdelete.bat is run which clears all log files.\r\nFollowing this, closeapps.bat was run which loops through various common applications to try to prevent open\r\nfile lockouts keeping critical files from being encrypted.\r\nhttps://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/\r\nPage 2 of 9\n\nRegistry run keys and two startup folders were then created for the primary ransomware file 1pgp.exe.\r\nhttps://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/\r\nPage 3 of 9\n\nC:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\1pgp.exe\r\nC:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp\\1pgp.exe\r\nHKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\1pgp.exe\r\nFinally the ransomware executed and locked up the system.\r\nThis ransomware can be linked to the Dharma/Crysis family of ransomware based on the pdb path present in the\r\nfile strings.\r\nA rather sparse ransom note was left behind.\r\nLateral Movement\r\nEven though the threat actor was running as a domain administrator they did not attempt to move laterally or\r\nspread their ransomware.\r\nIOC’s\r\nMISPPriv 5ee3822c-6828-418c-b619-62de950d210f and 68219.\r\n1pgp.exe|1ebb6bb49ac1077c5e7eba4d56f6a3a1\r\n1ebb6bb49ac1077c5e7eba4d56f6a3a1\r\n1a37bb789c7bdda44330fd55aa292f5f76dada5d\r\n2f2e75affe9217c7211043936678fb1777e2db4a8f1986b8805ddb1e84e9e99b\r\ncloseapps.bat|9b0d6df42f879ba969f82c7a0ab48bc6\r\n9b0d6df42f879ba969f82c7a0ab48bc6\r\nb5d6f94f270a02abedc7484dc7214d15d2cee99e\r\ne25245f98a23596e03e51535beb0f73c000de63e473580c4c26e7b8b01b4e593\r\nEverything.exe|8add121fa398ebf83e8b5db8f17b45e0\r\n8add121fa398ebf83e8b5db8f17b45e0\r\nc8107e5c5e20349a39d32f424668139a36e6cfd0\r\nhttps://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/\r\nPage 4 of 9\n\n35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413\r\nLogDelete.bat|fb9c610ba195f9b18a96b84c5e755df7\r\nfb9c610ba195f9b18a96b84c5e755df7\r\n5e4f2074850cce0eab4d6165807e86c88b5b8c0b\r\ne17ca6c764352c0a74e1e6b80278bb4395588df4bed64833b1b127ea2ca5c5fd\r\nNS.exe|597de376b1f80c06d501415dd973dcec\r\n597de376b1f80c06d501415dd973dcec\r\n629c9649ced38fd815124221b80c9d9c59a85e74\r\nf47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446\r\nShadow.bat|df8394082a4e5b362bdcb17390f6676d\r\ndf8394082a4e5b362bdcb17390f6676d\r\n5750248ff490ceec03d17ee9811ac70176f46614\r\nda3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878\r\n217.138.202.116\r\nYARA\r\n/*\r\n YARA Rule Set\r\n Author: DFIR Report\r\n Date: 2020-06-12\r\n Identifier: dharma-06-12-20\r\n Reference: https://thedfirreport.com/\r\n*/\r\n/* Rule Set ----------------------------------------------------------------- */\r\nimport \"pe\"\r\nrule vssadmin_Shadow_bat {\r\n meta:\r\n description = \"dharma-06-12-20 - file Shadow.bat\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-12\"\r\n hash1 = \"da3f155cfb98ce0add29a31162d23da7596da44ba2391389517fe1a2790da878\"\r\n strings:\r\n $s1 = \"vssadmin delete shadows /all\" fullword ascii\r\n condition:\r\n uint16(0) == 0x7376 and filesize \u003c 1KB and\r\n all of them\r\n}\r\nhttps://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/\r\nPage 5 of 9\n\nrule Network_Scanner_post_exploit_enumeration {\r\n meta:\r\n description = \"dharma-06-12-20 - file NS.exe\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-12\"\r\n hash1 = \"f47e3555461472f23ab4766e4d5b6f6fd260e335a6abc31b860e569a720a5446\"\r\n strings:\r\n $s1 = \"CreateMutex error: %d\" fullword ascii\r\n $s2 = \"--Error mount \\\\\\\\%s\\\\%s Code: %d\" fullword wide\r\n $s3 = \"-Found share \\\\\\\\%s\\\\%s\" fullword wide\r\n $s4 = \"--Share \\\\\\\\%s\\\\%s successfully mounted\" fullword wide\r\n $s5 = \"host %s is up\" fullword ascii\r\n $s6 = \"Get ip: %s and mask: %s\" fullword wide\r\n $s7 = \"GetAdaptersInfo failed with error: %d\" fullword wide\r\n $s8 = \"# Network scan and mount include chek for unmounted local volumes. #\" fullword wide\r\n $s9 = \"####################################################################\" fullword wide /*\r\n $s10 = \"Share %s successfully mounted\" fullword wide\r\n $s11 = \"Error mount %s %d\" fullword wide\r\n $s12 = \"Failed to create thread.\" fullword ascii\r\n $s13 = \" start scan for shares. \" fullword wide\r\n $s14 = \"# '98' was add for standalone usage! #\" fullword wide\r\n $s15 = \"Error, wrong value.\" fullword wide\r\n $s16 = \"QueryDosDeviceW failed with error code %d\" fullword wide\r\n $s17 = \"FindFirstVolumeW failed with error code %d\" fullword wide\r\n $s18 = \"FindNextVolumeW failed with error code %d\" fullword wide\r\n $s19 = \"SetVolumeMountPointW failed with error code %d\" fullword wide\r\n $s20 = \"| + scan local volumes for unmounted drives. |\" fullword wide\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 400KB and\r\n ( pe.imphash() == \"0b0d8152ea7241cce613146b80a998fd\" or 8 of them )\r\n}\r\nrule Dharma_ransomware_1pgp {\r\n meta:\r\n description = \"dharma-06-12-20 - file 1pgp.exe\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-12\"\r\n hash1 = \"2f2e75affe9217c7211043936678fb1777e2db4a8f1986b8805ddb1e84e9e99b\"\r\n strings:\r\n $x1 = \"C:\\\\crysis\\\\Release\\\\PDB\\\\payload.pdb\" fullword ascii\r\n $s2 = \"sssssbsss\" fullword ascii\r\n $s3 = \"sssssbs\" fullword ascii\r\n $s4 = \"9c%Q%f\" fullword ascii\r\n $s5 = \"jNYZO\\\\\" fullword ascii\r\n $s6 = \"RSDS%~m\" fullword ascii\r\nhttps://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/\r\nPage 6 of 9\n\n$s7 = \"xy ?*5\" fullword ascii\r\n $s8 = \"\u003ca-g6J\" fullword ascii\r\n $s9 = \"]q)WtH?\" fullword ascii\r\n $s10 = \"s=9uo^\" fullword ascii\r\n $s11 = \"\\\"iMw\\\\e\" fullword ascii\r\n $s12 = \"{?nT*}2g\" fullword ascii\r\n $s13 = \"h*UqD*\" fullword ascii\r\n $s14 = \"b,_f n7\" fullword ascii\r\n $s15 = \"+mm7S%I\" fullword ascii\r\n $s16 = \"+L]DAb\" fullword ascii\r\n $s17 = \"nq0\u003c3AD\" fullword ascii\r\n $s18 = \"U2cUbO\" fullword ascii\r\n $s19 = \";C!|E2z\" fullword ascii\r\n $s20 = \"P)8$X=\" fullword ascii\r\n condition:\r\n uint16(0) == 0x5a4d and filesize \u003c 300KB and\r\n ( pe.imphash() == \"f86dec4a80961955a89e7ed62046cc0e\" or ( 1 of ($x*) or 4 of them ) )\r\n}\r\nrule closeapps_bat {\r\n meta:\r\n description = \"dharma-06-12-20 - file closeapps.bat\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-12\"\r\n hash1 = \"e25245f98a23596e03e51535beb0f73c000de63e473580c4c26e7b8b01b4e593\"\r\n strings:\r\n $x1 = \"taskkill /F /IM MSExchangeTransportLogSearch.exe\" fullword ascii\r\n $x2 = \"taskkill /F /IM Veeam.Backup.Agent.ConfigurationService.exe\" fullword ascii\r\n $x3 = \"taskkill /F /IM MSExchangeTransport.exe\" fullword ascii\r\n $x4 = \"taskkill /F /IM EdgeTransport.exe\" fullword ascii\r\n $x5 = \"taskkill /F /IM Microsoft.Exchange.ServiceHost.exe\" fullword ascii\r\n $x6 = \"taskkill /F /IM Microsoft.Exchange.ProtectedServiceHost.exe\" fullword ascii\r\n $x7 = \"taskkill /F /IM agent.exe\" fullword ascii\r\n $x8 = \"taskkill /F /IM fdhost.exe\" fullword ascii\r\n $x9 = \"taskkill /F /IM MSExchangeThrottling.exe\" fullword ascii\r\n $x10 = \"taskkill /F /IM sqlagentc.exe\" fullword ascii\r\n $x11 = \"taskkill /F /IM Microsoft.Exchange.ContentFilter.Wrapper.exe\" fullword ascii\r\n $x12 = \"taskkill /F /IM Veeam.Backup.CatalogDataService.exe\" fullword ascii\r\n $x13 = \"taskkill /F /IM cbInterface.exe\" fullword ascii\r\n $x14 = \"taskkill /F /IM httpd.exe\" fullword ascii\r\n $x15 = \"taskkill /F /IM VeeamTransportSvc.exe\" fullword ascii\r\n $x16 = \"taskkill /F /IM cbService.exe\" fullword ascii\r\n $x17 = \"taskkill /F /IM Veeam.Backup.BrokerService.exe\" fullword ascii\r\n $x18 = \"taskkill /F /IM wsusservice.exe\" fullword ascii\r\n $x19 = \"taskkill /F /IM pvxcom.exe\" fullword ascii\r\n $x20 = \"taskkill /F /IM Veeam.Backup.MountService.exe\" fullword ascii\r\nhttps://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/\r\nPage 7 of 9\n\ncondition:\r\n uint16(0) == 0x6c3a and filesize \u003c 10KB and\r\n 1 of ($x*)\r\n}\r\nrule LogDelete_bat {\r\n meta:\r\n description = \"dharma-06-12-20 - file LogDelete.bat\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-12\"\r\n hash1 = \"e17ca6c764352c0a74e1e6b80278bb4395588df4bed64833b1b127ea2ca5c5fd\"\r\n strings:\r\n $s1 = \"FOR /F \\\"delims=\\\" %%I IN ('WEVTUTIL EL') DO (WEVTUTIL CL \\\"%%I\\\") \" fullword ascii\r\n condition:\r\n uint16(0) == 0x4f46 and filesize \u003c 1KB and\r\n all of them\r\n}\r\nrule Everything_seach_tool {\r\n meta:\r\n description = \"dharma-06-12-20 - file Everything.exe\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-12\"\r\n hash1 = \"35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413\"\r\n strings:\r\n $x1 = \"\u003cassembly xmlns=\\\"urn:schemas-microsoft-com:asm.v1\\\" manifestVersion=\\\"1.0\\\" xmlns:asmv3\r\n $s2 = \"\\\" version=\\\"6.0.0.0\\\" processorArchitecture=\\\"*\\\" publicKeyToken=\\\"6595b64144ccf1df\\\" l\r\n $s3 = \"http://www.voidtools.com/downloads/\" fullword ascii\r\n $s4 = \"http://www.voidtools.com/downloads/#language\" fullword ascii\r\n $s5 = \"Folder\\\\shell\\\\%s\\\\command\" fullword ascii\r\n $s6 = \"Directory\\\\background\\\\shell\\\\%s\\\\command\" fullword ascii\r\n $s7 = \"Directory\\\\Background\\\\shell\\\\%s\\\\command\" fullword ascii\r\n $s8 = \"yIdentity version=\\\"1.0.0.0\\\" processorArchitecture=\\\"*\\\" name=\\\"Everything\\\" type=\\\"win\r\n $s9 = \"; settings stored in %APPDATA%\\\\Everything\\\\Everything.ini\" fullword ascii\r\n $s10 = \"Host the pipe server with the security descriptor.\" fullword ascii\r\n $s11 = \"http://www.voidtools.com/support/everything/\" fullword ascii\r\n $s12 = \"username:password@host:port\" fullword ascii\r\n $s13 = \"\u003chtml\u003e\u003cmeta http-equiv=\\\"Content-Type\\\" content=\\\"text/html; charset=utf-8\\\"\u003e\u003cmeta name\r\n $s14 = \"\\\\\\\\.\\\\PIPE\\\\Everything Service\" fullword ascii\r\n $s15 = \"Everything Service Debug Log.txt\" fullword wide\r\n $s16 = \"Auto detect will attempt to read file contents with the associated IFilter.\" fullword a\r\n $s17 = \"processed %I64u / %I64u file records\" fullword ascii\r\n $s18 = \"SERVICE_SERVER_COMMAND_REFS_MONITOR_READ_USN_JOURNAL_DATA read ok %d\" fullword ascii\r\n $s19 = \"Store settings and data in %APPDATA%\\\\Everything?\" fullword ascii\r\n $s20 = \"http://www.voidtools.com/donate/\" fullword ascii\r\n condition:\r\nhttps://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/\r\nPage 8 of 9\n\nuint16(0) == 0x5a4d and filesize \u003c 5000KB and\r\n ( pe.imphash() == \"e7a8222fca78bde6fe29c9cc10d97ca2\" or ( 1 of ($x*) or 4 of them ) )\r\n}\r\n/* Super Rules ------------------------------------------------------------- */\r\nrule Everything_search_tool_super {\r\n meta:\r\n description = \"dharma-06-12-20 - from files Everything.exe, Everything.exe\"\r\n author = \"DFIR Report\"\r\n reference = \"https://thedfirreport.com/\"\r\n date = \"2020-06-12\"\r\n hash1 = \"35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413\"\r\n hash2 = \"35c4a6c1474eb870eec901cef823cc4931919a4e963c432ce9efbb30c2d8a413\"\r\n strings:\r\n $s1 = \"-disable-run-as-admin\" fullword ascii /* Goodware String - occured 1 times */\r\n $s2 = \"type=%s;\" fullword ascii /* Goodware String - occured 1 times */\r\n $s3 = \"EVERYTHING\" fullword ascii /* Goodware String - occured 1 times */\r\n $s4 = \"-install-run-on-system-startup\" fullword ascii /* Goodware String - occured 2 times */\r\n $s5 = \"-uninstall-url-protocol\" fullword ascii /* Goodware String - occured 2 times */\r\n $s6 = \"-app-data\" fullword ascii /* Goodware String - occured 2 times */\r\n $s7 = \"-uninstall-service\" fullword ascii /* Goodware String - occured 2 times */\r\n $s8 = \"-uninstall-efu-association\" fullword ascii /* Goodware String - occured 2 times */\r\n condition:\r\n ( uint16(0) == 0x5a4d and filesize \u003c 5000KB and pe.imphash() == \"e7a8222fca78bde6fe29c9cc10d97c\r\n ) or ( all of them )\r\n}\r\nSource: https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/\r\nhttps://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/"
	],
	"report_names": [
		"the-little-ransomware-that-couldnt-dharma"
	],
	"threat_actors": [],
	"ts_created_at": 1775434745,
	"ts_updated_at": 1775791300,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/34a785482ebd4dfa32ec8c33acb326120a10ea1a.pdf",
		"text": "https://archive.orkl.eu/34a785482ebd4dfa32ec8c33acb326120a10ea1a.txt",
		"img": "https://archive.orkl.eu/34a785482ebd4dfa32ec8c33acb326120a10ea1a.jpg"
	}
}