Ransomware attacks by amateur Iranian hackers used “off-the-shelf” malware

Threat researchers are reporting that low-skilled Iranian hackers carried out a number of successful attacks against enterprise targets in June. The incident highlights the growing threat of off-the-shelf malware to businesses and individuals.

In this short article, we’ll tell you what happened, give you some background to the issue, and let you know what you can do to stay safe.

The incident

According to researchers at Singapore-based Group-IB, newbie hackers in Iran managed to penetrate the networks of a number of companies across the globe and infect their systems with Dharma ransomware. The cybercriminals demanded ransoms ranging from 1–5 Bitcoin, or around $10,000–$50,000 USD at the current rate of exchange.

Interestingly, the bad guys in this case don’t seem to have been especially sophisticated, or even particularly skilled — a far cry from the kind of threat actors we’re used to hearing about in connection with Iran: military cyberwarfare groups and APTs. They left behind clear traces of their geographic location as well as the tools that they used, and they don’t appear to have attempted to exfiltrate any valuable corporate data. Most tellingly of all, they used Dharma ransomware in their attack, a so-called “ransomware-as-a-service” (RaaS) tool sold to garden-variety cybercriminals looking to make a quick buck.

What is RaaS?

Ransomware-as-a-service attempts to cash in on the growing popularity of ransomware among cybercriminals. The basic idea is that skilled hackers will code up some easy-to-use ransomware, and then sell it to unskilled hackers who want to use it for cybercrime. One version of Dharma’s source code was spotted for sale on a Russian hacking forum for just $2000. Some RaaS providers will even offer a commission pricing model, where they “earn” a percentage of every successful ransomware attack.

Dharma ransomware has been observed in the wild since 2016, and according to the FBI, it has already been used to extort tens of millions of dollars from businesses worldwide.

What is off-the-shelf malware?

RaaS is part of a wider cybersecurity problem: the growing trend of off-the-shelf malware. These “user-friendly” malware offerings have significantly leveled the playing field for cybercriminals, and in the process have made the world a considerably more dangerous place.

Gone are the days when bad guys needed serious hacking skills to carry out a cyberattack. With the advent of off-the-shelf malware, amateur hackers — even those with fairly limited technical ability — are able to inflict real damage on businesses and governments. Off-the-shelf malware can be used by low-skill threat actors who would never be able to code such malicious software on their own: a sort of democratization of cybercrime.

This has greatly lowered the barrier to entry for aspiring hackers, and has contributed to the sharp rise in ransomware and other types of malware attacks over the past several years. While the most sophisticated malware tools are still in the hands of skilled threat actors, nation states, and APTs, this kind of ready-to-use malware is dangerous enough to cause disruption and financial loss to organizations around the world.

How you can stay safe

Dharma ransomware is readily available and requires little real technical ability to use. But while that may sound disturbing, it may also, paradoxically, turn out to be a source of comfort.

The silver lining to this story is that ransomware can only be deployed once a network has been breached — and rookie hackers aren’t very good at breaching networks. This means that it should be reasonably straightforward to protect your home or small business network from off-the-shelf tools like Dharma ransomware, because the bad guys who use them typically lack the requisite skills to circumvent good security protocols.

In the case of the June ransomware attacks, security analysts at Group-IB note that the Iranian hackers targeted networks with exposed Remote Desktop Protocol (RDP) ports, which were discovered using automated network scanning tools. They then compromised insecure networks by using a free password-cracking tool to guess valid network credentials by trial and error. 

The analysts therefore recommend that companies using RDP change the default RDP port (3389) to some other port, as many network scanning tools are configured to scan only those ports that are commonly associated with the service being targeted, and will overlook networks on which the service in question has been configured to run on a non-standard port. 

In addition, they say that companies should enable lockout policies that limit individual users to a set number of failed login attempts, in order to prevent automated password-cracking tools from carrying out the sort of brute-force attack used by these hackers. 

Of course, it goes without saying that all employees should be educated on the importance of creating strong passwords, as weak or default passwords are obviously much easier to guess — both for humans and computers — than long, strong passwords.

In addition, it appears that the hackers in the June attacks attempted to use an exploit for an older Windows vulnerability (patched by Microsoft in 2017) in order to gain elevated privileges once they had accessed the system as a standard user. The fact that they were trying to exploit a three-year-old vulnerability suggests that they were hoping (and perhaps expecting) to find businesses that still hadn’t implemented the patch, and thus underscores the fundamental importance of regular and timely software and OS updates! 

Businesses should have a system of managed updates in place as a matter of course, and if they allow team members to work from home on their personal computers, they should take steps to educate employees on the hows and whys of regular updates. Home users, as a rule, should always enable automatic updates on all devices.

Finally, companies would be well advised to take other basic security precautions as well, such as using two-factor authentication whenever possible; using password managers to handle the task of creating and storing strong, unique passwords; and requiring the use of VPNs and malware detection tools for all remote workers. Home users can also benefit from these foundational security practices. In addition, enterprise organizations should attempt to offer all employees access to basic security training that covers topics like phishing, business email compromise (BEC), and safe downloads.