{
	"id": "3f5a4743-6028-478c-a89f-ab95f7a27456",
	"created_at": "2026-04-06T01:30:14.630471Z",
	"updated_at": "2026-04-10T03:20:58.843555Z",
	"deleted_at": null,
	"sha1_hash": "3b0e4f4cf355da1c99576c3e00cb82f34540d1d4",
	"title": "Dharma (CrySiS) Ransomware: Technical Analysis, Context and Mitigation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 56282,
	"plain_text": "Dharma (CrySiS) Ransomware: Technical Analysis, Context and\r\nMitigation\r\nBy Acronis\r\nPublished: 2025-12-05 · Archived: 2026-04-06 00:48:58 UTC\r\nRansomware as a service: Dharma (CrySiS) has been active since 2016 and is distributed through a\r\nransomware as a service model. The 2021 variant appends a .biden extension to encrypted files.\r\nInitial infection through remote services: According to the MITRE CAPEC database, adversaries\r\ncommonly use stolen credentials to log in to remote services such as Remote Desktop Protocol (RDP).\r\nDharma is typically deployed manually through RDP using weak or leaked credentials. Restricting or\r\ndisabling RDP, limiting remote login accounts, and enabling multi factor authentication reduce exposure.\r\nInstallation and persistence: Dharma executes as a 32 bit process on all Windows platforms, disables\r\nWow64 file system redirection, copies itself to the %System% directory and Startup folders, and adds Run\r\nkeys for persistence. It also creates mutexes to ensure a single active instance.\r\nService and process termination: Dharma stops database, backup, and productivity services to remove file\r\nlocks before encryption. This behavior aligns with ransomware families observed by MITRE, such as\r\nLockBit 3.0, which terminate security and database services before encrypting files.\r\nFile encryption: Dharma encrypts files in multiple threads using AES 256 in CBC mode. NIST defines\r\nAES as a U.S. Government approved symmetric block cipher used to protect electronic data. Each file key\r\nis encrypted with a 1024 bit RSA public key embedded in the malware.\r\nMitigation and detection: Acronis products detect and block Dharma ransomware. Organizations should\r\nharden RDP, enforce multi factor authentication, maintain offline backups, and isolate infected systems\r\nduring incidents. OverviewOverview\r\nOverview\r\nDharma, also known as CrySiS, is a long running ransomware family first observed in 2016. It operates as\r\nransomware as a service, where developers lease the malware to affiliates who deploy it. A variant discovered in\r\nMarch 2021 appends the \".biden\" extension to encrypted files. This article provides a technical analysis of\r\nDharma, outlines its infection vector, describes its encryption workflow, and offers guidance for mitigation.\r\nAttack vector\r\nMany Dharma intrusions begin when threat actors gain access to a Windows system through Remote Desktop\r\nProtocol (RDP). The Common Attack Pattern Enumeration and Classification (CAPEC) project reports that\r\nadversaries use stolen credentials to log in to remote services, including RDP, Telnet, and SSH (capec.mitre.org).\r\nOnce connected, attackers manually deploy ransomware. Recommended security practices include:\r\nhttps://www.acronis.com/en-us/articles/Dharma-ransomware/\r\nPage 1 of 4\n\nDisable unnecessary remote services: CAPEC guidance recommends disabling RDP and similar services\r\nwhen not required, blocking remote service traffic at the firewall, and removing the local Administrators\r\ngroup from RDP access (capec.mitre.org).\r\nRestrict accounts and enforce multi factor authentication: Only essential accounts should have remote login\r\nprivileges. CAPEC also recommends limiting remote user permissions and using remote desktop gateways\r\nand multi factor authentication (capec.mitre.org; attack.mitre.org).\r\nUse strong, unique credentials and monitor for leaks.\r\nDeobfuscation and runtime linking\r\nWhen executed, Dharma uses the RC4 stream cipher to decrypt embedded strings that contain Windows API\r\nfunction names. It resolves these function addresses at runtime. RC4 is a symmetric stream cipher that is\r\ndeprecated for secure communications but remains common in malware for basic obfuscation. Dharma uses the\r\nsame RC4 routine to decrypt additional operational strings during execution.\r\nInstallation and persistence\r\nTo operate as a 32 bit process on both 32 bit and 64 bit Windows systems, Dharma calls the\r\nWow64DisableWow64FsRedirection() function to disable file system redirection. It then copies itself to the\r\n%System% directory using the original filename and creates autorun registry entries under HKLM and HKCU:\r\n[HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]\r\n\u003cfilename\u003e.exe = %System%\\\u003cfilename\u003e.exe\r\n[HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run]\r\n\u003cfilename\u003e.exe = %System%\\\u003cfilename\u003e.exe\r\nThe malware also copies itself into both Start Menu Startup folders. It creates two global mutexes,\r\nGlobal\\syncronize_FQBL57A and Global\\syncronize_FQBL57U, to ensure that only one instance runs. If the\r\nWindows version is older than Windows Vista, or if the mutexes already exist, Dharma exits.\r\nPayload: service termination and process manipulation\r\nBefore encrypting files, Dharma attempts to stop services and terminate processes that may restrict file access. It\r\nstops database services such as Firebird and MSSQL, terminates processes including postgres.exe, mysqld.exe,\r\nsqlservr.exe, and Outlook, and deletes shadow copies using:\r\nvssadmin delete shadows /all /quiet\r\nIt also sets the console code page to Windows 1251 for compatibility.\r\nTerminating critical processes and services is a common ransomware technique. MITRE reports that LockBit 3.0\r\nterminates security, backup, and database services to avoid interference during encryption (attack.mitre.org).\r\nhttps://www.acronis.com/en-us/articles/Dharma-ransomware/\r\nPage 2 of 4\n\nFile encryption\r\nDharma encrypts files in multiple threads. It uses AES 256 in CBC mode for file encryption. NIST describes AES\r\nas a U.S. Government approved symmetric block cipher suitable for encrypting and decrypting electronic data\r\n(csrc.nist.gov).\r\nFor each file:\r\nA unique 256 bit AES key and 128 bit initialization vector are generated using pseudo random values and\r\nRC4.\r\nThe AES key is encrypted using a 1024 bit RSA public key embedded in the malware.\r\nThe key and IV are appended to the encrypted file.\r\nDharma excludes key system files (e.g., boot.ini, .exe) and encrypts a broad range of file types including\r\ndocuments, media, databases, archives, and source code.\r\nEncrypted files follow this naming pattern:\r\n\u003coriginal_file\u003e.id-\u003cdrive_serial_number\u003e.[\u003cattacker_email\u003e].biden\r\nFor example:\r\ndesktop.ini.id-4AFE57F0.[biden@cock.li].biden\r\nRansom note\r\nAfter encryption, Dharma drops ransom notes (Info.hta and MANUAL.txt) into Startup folders and the root of the\r\nsystem drive. These notes instruct victims to contact the attacker by email to purchase a decryption key. They\r\nwarn victims that data loss may occur if they attempt self recovery.\r\nDetection by Acronis and recommended response\r\nAcronis Cyber Protect and Acronis Cyber Protect Cloud detect and block Dharma ransomware. Recommended\r\nresponse steps include:\r\nIsolate the affected system to prevent further spread.\r\nDo not pay the ransom, as payment supports criminal activity and does not guarantee recovery.\r\nNotify law enforcement and follow regulatory requirements.\r\nRestore from offline or immutable backups to ensure data integrity.\r\nInvestigate the intrusion to identify root cause issues such as exposed RDP services or weak credentials.\r\nPrevention and hardening\r\nhttps://www.acronis.com/en-us/articles/Dharma-ransomware/\r\nPage 3 of 4\n\nSecure remote services: Disable RDP if it is not required. CAPEC recommends blocking RDP, Telnet, and\r\nSSH at the firewall, limiting remote login permissions, removing the local Administrators group from RDP\r\naccess, and enabling multi factor authentication (capec.mitre.org; attack.mitre.org).\r\nPatch systems regularly: Apply operating system and software patches promptly.\r\nImplement least privilege access: Restrict administrative rights, limit service accounts, and monitor for\r\nanomalous logins.\r\nDeploy endpoint protection: Use solutions such as Acronis Cyber Protect to detect ransomware behaviors\r\nand prevent unauthorized encryption.\r\nMaintain offline backups: Regularly back up critical data to storage that is immutable or otherwise\r\ninaccessible to malware.\r\nSource: https://www.acronis.com/en-us/articles/Dharma-ransomware/\r\nhttps://www.acronis.com/en-us/articles/Dharma-ransomware/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.acronis.com/en-us/articles/Dharma-ransomware/"
	],
	"report_names": [
		"Dharma-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775439014,
	"ts_updated_at": 1775791258,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b0e4f4cf355da1c99576c3e00cb82f34540d1d4.pdf",
		"text": "https://archive.orkl.eu/3b0e4f4cf355da1c99576c3e00cb82f34540d1d4.txt",
		"img": "https://archive.orkl.eu/3b0e4f4cf355da1c99576c3e00cb82f34540d1d4.jpg"
	}
}