Iranian hackers used RDP to hit businesses with Dharma ransomware

The hackers using Dharma ransomware are “far behind the level of sophistication of big-league Iranian APTs.”
Iran behind Dharma ransomware attacks

The hackers behind Dharma ransomware attacks are “far behind the level of sophistication of big-league Iranian APTs,” reveals the report from Singapore-based cyber security firm Group-IB.


Group-IB researchers have discovered a new ransomware campaign instigated by a Persian-speaking hacker group supposedly based in Iran.

Reportedly, the hackers are targeting businesses in Russian, Japan, India, and China to deploy Dharma ransomware by leveraging the Remote Desktop Protocol (RDP).

It is noteworthy that Dharma ransomware made headlines in January 2017 after hacking a popular horse racing website in India and then in February 2017 after two Romanian hackers were arrested for hacking DC security cameras before the official inauguration ceremony of President Donald Trump – Both hackers were accused of distributing Dharma and Cerber ransomware.

As for the Iranian connection with Dharma ransomware, according to Group-IB researchers, they discovered this campaign while carrying out incident response for a Russian company in June 2020.

The digital forensics team at Group-IB identified that the company’s network was infected with Dharma ransomware. The hackers abused its RDP, and due to weak credentials, they could abuse its system quite easily.

See: Ransomware Hits Leading US Medical Debt Collector R1 RCM Inc.

After infiltrating the network, they choose between several tools to proceed further. This includes using tools like Your Uninstaller, to distribute the ransomware across the network. This tool is available on an Iranian software sharing website. Using it, hackers could disable the company’s anti-virus solutions.


Afterward, the hackers could not only download additional tools from Persian-speaking Telegram channels but also mapped the infected network for available hosts using the Advanced Port Scanner. They dropped Dharma ransomware on each of the hosts as these contained weak credentials and demanded 1-5 BTC (approx. $11,700 – $59,000) in ransom.

Dharma ransomware’s ransom note

The same attack artifacts were later identified in the networks of many other companies in China, India, and Japan. Further analysis revealed that the hackers aren’t too sophisticated as they are using publicly available tools, which reflects that they are new to the world of cybercrime.

In their report, researchers stated that;

“Far behind the level of sophistication of big-league Iranian APTs.”


Surprisingly, such novices are using Dharma for financial gains. Usually, state-sponsored hackers use Dharma in their espionage campaigns. However, given that Dharma comes with a toolkit, it is elementary for anyone to become a cybercriminal.

They identify their targets by scanning the internet for IP address ranges for exposed or weak remote desktop connections. At this stage, they use the open-source port scanner Masscan. 

See: Two arrested for hacking DC security cams with Dharma ransomware Before Trump Inauguration

The next step is launching a brute-force attack using NLBrute, which makes continuous RDP password attempts to find the right combo. After gaining access to the system, they gain privilege escalation by exploiting an old vulnerability that works on all computers using Windows 7 or 10.


Group-IB researchers urge organizations to immediately change those default ports that they use for RDP connections and implement account lockout measures.


Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.

Related Posts