The source code of one of the most profitable ransomware families, the Dharma ransomware, is up for sale on two Russian-language hacking forums.
The Dharma ransomware first appeared on the threat landscape in February 2016, at the time experts dubbed it Crysis.
At the time, threat actors were spreading the ransomware via email attachments with double file extensions or via malicious links embedded in spam emails.
In November 2016, the master decryption keys for Crysis were released online, victims of CrySis versions 2 and 3 were able to recover their files.
The decryption keys for the
A few weeks later, the CrySiS
The source is offered for a price as low as $2,000, as reported by ZDNet.
“Several ransomware experts who spoke
The availability of the source code online will allow threat actors to create their own versions and start distributing them.
Malware researchers consider the encryption scheme very sophisticated, but in March 2017 its alleged Master Keys have been released by a member using the online moniker ‘
The user published a post containing a Pastebin link to a header file in C programming languages that supposedly contains the master decryption keys.
The Dharma ransomware received numerous updates over the years, in 2019 a new piece of ransomware subbed Phobos emerged online.
According to Malwarebytes, the Phobos ransomware was quite identical to the Dharma ransomware, both ransomware families remained active over 2019.
“John Fokker, head of cyber investigations at McAfee, told ZDNet that the Dharma code had already been circulating in the hacker underground for quite some time and that it’s only now surfacing on more public forums.” concluded ZDNet.