Blog
/
/
May 5, 2020

The Ongoing Threat of Dharma Ransomware Attacks

Stay informed about the dangers of Dharma ransomware and its methods of attack, ensuring your defenses are strong against potential intrusions.
Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO
Default blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog imageDefault blog image
05
May 2020

Executive summary

  • In the past few weeks, Darktrace has observed an increase in attacks against internet-facing systems, such as RDP. The initial intrusions usually take place via existing vulnerabilities or stolen, legitimate credentials. The Dharma ransomware attack described in this blog post is one such example.
  • Old threats can be damaging – Dharma and its variants have been around for four years. This is a classic example of ‘legacy’ ransomware morphing and adapting to bypass traditional defenses.
  • The intrusion shows signs that indicate the threat-actors are aware of – and are actively exploiting – the COVID-19 situation.
  • In the current threat landscape surrounding COVID-19, Darktrace recommends monitoring internet-facing systems and critical servers closely – keeping track of administrative credentials and carefully considering security when rapidly deploying internet-facing infrastructure.

Introduction

In mid-April, Darktrace detected a targeted Dharma ransomware attack on a UK company. The initial point of intrusion was via RDP – this represents a very common attack method of infection that Darktrace has observed in the broader threat landscape over the past few weeks.

This blog post highlights every stage of the attack lifecycle and details the attacker’s techniques, tools and procedures (TTP) – all detected by Darktrace.

Dharma – a varient of the CrySIS malware family – first appeared in 2016 and uses multiple intrusion vectors. It distributes its malware as an attachment in a spam email, by disguising it as an installation file for legitimate software, or by exploiting an open RDP connection through internet-facing servers. When Dharma has finished encrypting files, it drops a ransom note with the contact email address in the encrypted SMB files.

Darktrace had strong, real-time detections of the attack – however the absence of eyes on the user interface prior to the encryption activity, and without Autonomous Response deployed in Active Mode, these alerts were only actioned after the ransomware was unleashed. Fortunately, it was unable to spread within the organization, thanks to human intervention at the peak of the attack. However, Darktrace Antigena in active mode would have significantly slowed down the attack.

Timeline

The timeline below provides a rough overview of the major attack phases over five days of activity.

Figure 1: A timeline of the attack

Technical analysis

Darktrace detected that the main device hit by the attack was an internet-facing RDP server (‘RDP server’). Dharma used network-level encryption here: the ransomware activity takes place over the network protocol SMB.

Below is a chronological overview of all Darktrace detections that fired during this attack: Darktrace detected and reported every single unusual or suspicious event occurring on the RDP server.

Figure 2: An overview of Darktrace detections

Initial compromise

On April 7, the RDP server began receiving a large number of incoming connections from rare IP addresses on the internet.

On April 7, the RDP server began receiving a large number of incoming connections from rare IP addresses on the internet. This means a lot of IP addresses on the internet that usually don’t connect to this company started connection attempts over RDP. The top five cookies used to authenticate show that the source IPs were located in Russia, the Netherlands, Korea, the United States, and Germany.

It is highly likely that the RDP credential used in this attack had been compromised prior to the attack – either via common brute-force methods, credential stuffing attacks, or phishing. Indeed, a TTP growing in popularity is to buy RDP credentials on marketplaces and skip to initial access.

Attempted privilege escalation

The following day, the malicious actor abused the SMB version 1 protocol, notorious for always-on null sessions which offer unauthenticated users’ information about the machine – such as password policies, usernames, group names, machine names, user and host SIDs. What followed was very unusual: the server connected externally to a rare IP address located in Morocco.

Next, the attacker attempted a failed SMB session to the external IP over an unusual port. Darktrace detected this activity as highly anomalous, as it had previously learned that SMB is usually not used in this fashion within this organization – and certainly not for external communication over this port.

Figure 3: Darktrace detecting the rare external IP address

Figure 4: The SMB session failure and the rare connection over port 1047

Command and control traffic

As the entire attack occurred over five days, this aligns with a smash-and-grab approach, rather than a highly covert, low-and-slow operation.

Two hours later, the server initiated a large number of anomalous and rare connections to external destinations located in India, China, and Italy – amongst other destinations the server had never communicated with before. The attacker was now attempting to establish persistence and create stronger channels for command and control (C2). As the entire attack occurred over five days, this aligns with a smash-and-grab approach, rather than a highly covert, low-and-slow operation.

Actions on target

Notwithstanding this approach, the malicious actor remained dormant for two days, biding their time until April 10 — a public holiday in the UK — when security teams would be notably less responsive. This pause in activity provides supporting evidence that the attack was human-driven.

Figure 5: The unusual RDP connections detected by Darktrace

The RDP server then began receiving incoming remote desktop connections from 100% rare IP addresses located in the Netherlands, Latvia, and Poland.

Internal reconnaissance

The IP address 85.93.20[.]6, hosted at the time of investigation in Panama, made two connections to the server, using an administrative credential. On April 12, as other inbound RDP connections scanned the network, the volume of data transferred by the RDP server to this IP address spiked. The RDP server never scans the internal network. Darktrace identified this as highly unusual activity.

Figure 6: Darktrace detects the anomalous external data transfer

Lateral movement and payload execution

Finally, on April 12, the attackers executed the Dharma payload at 13:45. The RDP server wrote a number of files over the SMB protocol, appended with a file extension containing a throwaway email account possibly evoking the current COVID-19 pandemic, ‘cov2020@aol[.]com’. The use of string ‘…@aol.com].ROGER’ and presence of a file named ‘FILES ENCRYPTED.txt’ resembles previous Dharma compromises.

Parallel to the encryption activity, the ransomware tried to spread and infect other machines by initiating successful SMB authentications using the same administrator credential seen during the internal reconnaissance. However, the destination devices did not encrypt any files themselves.

It was during the encryption activity that the internal IT staff pulled the plug from the compromised RDP server, thus ending the ransomware activity.

Conclusion

This incident supports the idea that ‘legacy’ ransomware may morph to resurrect itself to exploit vulnerabilities in remote working infrastructure during this pandemic.

Dharma executed here a fast-acting, planned, targeted, ransomware attack. The attackers used off-the-shelf tools (RDP, abusing SMB1 protocol) blurring detection and attribution by blending in with typical administrator activity.

Darktrace detected every stage of the attack without having to depend on threat intelligence or rules and signatures, and the internal security team acted on the malicious activity to prevent further damage.

This incident supports the idea that ‘legacy’ ransomware may morph to resurrect itself to exploit vulnerabilities in remote working infrastructure during this pandemic. Poorly-secured public-facing systems have been rushed out and security is neglected as companies prioritize availability – sacrificing security in the process. Financially-motivated actors weaponize these weak points.

The use of the COVID-related email ‘cov2020@aol[.]com’ during the attack indicates that the threat-actor is aware of and abusing the current global pandemic.

Recent attacks, such as APT41’s exploitation of the Zoho Manage Engine vulnerability last March, show that attacks against internet-facing infrastructure are gaining popularity as the initial intrusion vector. Indeed, as many as 85% of ransomware attacks use RDP as an entry vector. Ensuring that backups are isolated, configurations are hardened, and systems are patched is not enough – real-time detection of every anomalous action can help protect potential victims of ransomware.

Technical Details

Some of the detections on the RDP server:

  • Compliance / Internet Facing RDP server – exposure of critical server to Internet
  • Anomalous Connection / Application Protocol on Uncommon Port – external connections using an unusual port to rare endpoints
  • Device / Large Number of Connections to New Endpoints – indicative of peer-to-peer or scanning activity
  • Compliance / Incoming Remote Desktop – device is remotely controlled from an external source, increased rick of bruteforce
  • Compromise / Ransomware / Suspicious SMB Activity – reading and writing similar volumes of data to remote file shares, indicative of files being overwritten and encrypted
  • Anomalous File / Internal / Additional Extension Appended to SMB File – device is renaming network share files with an added extension, seen during ransomware activity

The graph below shows the timeline of Darktrace detections on the RDP server. The attack lifecycle is clearly observable.

Figure 7: The model breaches occurring over time

Inside the SOC
Darktrace cyber analysts are world-class experts in threat intelligence, threat hunting and incident response, and provide 24/7 SOC support to thousands of Darktrace customers around the globe. Inside the SOC is exclusively authored by these experts, providing analysis of cyber incidents and threat trends, based on real-world experience in the field.
Written by
Max Heinemeyer
Global Field CISO

More in this series

No items found.

Blog

/

Identity

/

July 3, 2025

Top Eight Threats to SaaS Security and How to Combat Them

Default blog imageDefault blog image

The latest on the identity security landscape

Following the mass adoption of remote and hybrid working patterns, more critical data than ever resides in cloud applications – from Salesforce and Google Workspace, to Box, Dropbox, and Microsoft 365.

On average, a single organization uses 130 different Software-as-a-Service (SaaS) applications, and 45% of organizations reported experiencing a cybersecurity incident through a SaaS application in the last year.

As SaaS applications look set to remain an integral part of the digital estate, organizations are being forced to rethink how they protect their users and data in this area.

What is SaaS security?

SaaS security is the protection of cloud applications. It includes securing the apps themselves as well as the user identities that engage with them.

Below are the top eight threats that target SaaS security and user identities.

1.  Account Takeover (ATO)

Attackers gain unauthorized access to a user’s SaaS or cloud account by stealing credentials through phishing, brute-force attacks, or credential stuffing. Once inside, they can exfiltrate data, send malicious emails, or escalate privileges to maintain persistent access.

2. Privilege escalation

Cybercriminals exploit misconfigurations, weak access controls, or vulnerabilities to increase their access privileges within a SaaS or cloud environment. Gaining admin or superuser rights allows attackers to disable security settings, create new accounts, or move laterally across the organization.

3. Lateral movement

Once inside a network or SaaS platform, attackers move between accounts, applications, and cloud workloads to expand their foot- hold. Compromised OAuth tokens, session hijacking, or exploited API connections can enable adversaries to escalate access and exfiltrate sensitive data.

4. Multi-Factor Authentication (MFA) bypass and session hijacking

Threat actors bypass MFA through SIM swapping, push bombing, or exploiting session cookies. By stealing an active authentication session, they can access SaaS environments without needing the original credentials or MFA approval.

5. OAuth token abuse

Attackers exploit OAuth authentication mechanisms by stealing or abusing tokens that grant persistent access to SaaS applications. This allows them to maintain access even if the original user resets their password, making detection and mitigation difficult.

6. Insider threats

Malicious or negligent insiders misuse their legitimate access to SaaS applications or cloud platforms to leak data, alter configurations, or assist external attackers. Over-provisioned accounts and poor access control policies make it easier for insiders to exploit SaaS environments.

7. Application Programming Interface (API)-based attacks

SaaS applications rely on APIs for integration and automation, but attackers exploit insecure endpoints, excessive permissions, and unmonitored API calls to gain unauthorized access. API abuse can lead to data exfiltration, privilege escalation, and service disruption.

8. Business Email Compromise (BEC) via SaaS

Adversaries compromise SaaS-based email platforms (e.g., Microsoft 365 and Google Workspace) to send phishing emails, conduct invoice fraud, or steal sensitive communications. BEC attacks often involve financial fraud or data theft by impersonating executives or suppliers.

BEC heavily uses social engineering techniques, tailoring messages for a specific audience and context. And with the growing use of generative AI by threat actors, BEC is becoming even harder to detect. By adding ingenuity and machine speed, generative AI tools give threat actors the ability to create more personalized, targeted, and convincing attacks at scale.

Protecting against these SaaS threats

Traditionally, security leaders relied on tools that were focused on the attack, reliant on threat intelligence, and confined to a single area of the digital estate.

However, these tools have limitations, and often prove inadequate for contemporary situations, environments, and threats. For example, they may lack advanced threat detection, have limited visibility and scope, and struggle to integrate with other tools and infrastructure, especially cloud platforms.

AI-powered SaaS security stays ahead of the threat landscape

New, more effective approaches involve AI-powered defense solutions that understand the digital business, reveal subtle deviations that indicate cyber-threats, and action autonomous, targeted responses.

[related-resource]

Continue reading
About the author
Carlos Gray
Senior Product Marketing Manager, Email

Blog

/

/

July 2, 2025

Pre-CVE Threat Detection: 10 Examples Identifying Malicious Activity Prior to Public Disclosure of a Vulnerability

Default blog imageDefault blog image

Vulnerabilities are weaknesses in a system that can be exploited by malicious actors to gain unauthorized access or to disrupt normal operations. Common Vulnerabilities and Exposures (or CVEs) are a list of publicly disclosed cybersecurity vulnerabilities that can be tracked and mitigated by the security community.

When a vulnerability is discovered, the standard practice is to report it to the vendor or the responsible organization, allowing them to develop and distribute a patch or fix before the details are made public. This is known as responsible disclosure.

With a record-breaking 40,000 CVEs reported for 2024 and a predicted higher number for 2025 by the Forum for Incident Response and Security Teams (FIRST) [1], anomaly-detection is essential for identifying these potential risks. The gap between exploitation of a zero-day and disclosure of the vulnerability can sometimes be considerable, and retroactively attempting to identify successful exploitation on your network can be challenging, particularly if taking a signature-based approach.

Detecting threats without relying on CVE disclosure

Abnormal behaviors in networks or systems, such as unusual login patterns or data transfers, can indicate attempted cyber-attacks, insider threats, or compromised systems. Since Darktrace does not rely on rules or signatures, it can detect malicious activity that is anomalous even without full context of the specific device or asset in question.

For example, during the Fortinet exploitation late last year, the Darktrace Threat Research team were investigating a different Fortinet vulnerability, namely CVE 2024-23113, for exploitation when Mandiant released a security advisory around CVE 2024-47575, which aligned closely with Darktrace’s findings.

Retrospective analysis like this is used by Darktrace’s threat researchers to better understand detections across the threat landscape and to add additional context.

Below are ten examples from the past year where Darktrace detected malicious activity days or even weeks before a vulnerability was publicly disclosed.

ten examples from the past year where Darktrace detected malicious activity days or even weeks before a vulnerability was publicly disclosed.

Trends in pre-cve exploitation

Often, the disclosure of an exploited vulnerability can be off the back of an incident response investigation related to a compromise by an advanced threat actor using a zero-day. Once the vulnerability is registered and publicly disclosed as having been exploited, it can kick off a race between the attacker and defender: attack vs patch.

Nation-state actors, highly skilled with significant resources, are known to use a range of capabilities to achieve their target, including zero-day use. Often, pre-CVE activity is “low and slow”, last for months with high operational security. After CVE disclosure, the barriers to entry lower, allowing less skilled and less resourced attackers, like some ransomware gangs, to exploit the vulnerability and cause harm. This is why two distinct types of activity are often seen: pre and post disclosure of an exploited vulnerability.

Darktrace saw this consistent story line play out during several of the Fortinet and PAN OS threat actor campaigns highlighted above last year, where nation-state actors were seen exploiting vulnerabilities first, followed by ransomware gangs impacting organizations [2].

The same applies with the recent SAP Netweaver exploitations being tied to a China based threat actor earlier this spring with subsequent ransomware incidents being observed [3].

Autonomous Response

Anomaly-based detection offers the benefit of identifying malicious activity even before a CVE is disclosed; however, security teams still need to quickly contain and isolate the activity.

For example, during the Ivanti chaining exploitation in the early part of 2025, a customer had Darktrace’s Autonomous Response capability enabled on their network. As a result, Darktrace was able to contain the compromise and shut down any ongoing suspicious connectivity by blocking internal connections and enforcing a “pattern of life” on the affected device.

This pre-CVE detection and response by Darktrace occurred 11 days before any public disclosure, demonstrating the value of an anomaly-based approach.

In some cases, customers have even reported that Darktrace stopped malicious exploitation of devices several days before a public disclosure of a vulnerability.

For example, During the ConnectWise exploitation, a customer informed the team that Darktrace had detected malicious software being installed via remote access. Upon further investigation, four servers were found to be impacted, while Autonomous Response had blocked outbound connections and enforced patterns of life on impacted devices.

Conclusion

By continuously analyzing behavioral patterns, systems can spot unusual activities and patterns from users, systems, and networks to detect anomalies that could signify a security breach.

Through ongoing monitoring and learning from these behaviors, anomaly-based security systems can detect threats that traditional signature-based solutions might miss, while also providing detailed insights into threat tactics, techniques, and procedures (TTPs). This type of behavioral intelligence supports pre-CVE detection, allows for a more adaptive security posture, and enables systems to evolve with the ever-changing threat landscape.

Credit to Nathaniel Jones (VP, Security & AI Strategy, Field CISO), Emma Fougler (Global Threat Research Operations Lead), Ryan Traill (Analyst Content Lead)

References and further reading:

  1. https://www.first.org/blog/20250607-Vulnerability-Forecast-for-2025
  2. https://cloud.google.com/blog/topics/threat-intelligence/fortimanager-zero-day-exploitation-cve-2024-47575
  3. https://thehackernews.com/2025/05/china-linked-hackers-exploit-sap-and.html

Related Darktrace blogs:

*Self-reported by customer, confirmed afterwards.

**Updated January 2024 blog now reflects current findings

Continue reading
About the author
Your data. Our AI.
Elevate your network security with Darktrace AI