A new variant of the Dharma Ransomware was released this week that appends the .brrr extension to encrypted files. This variant was first discovered by Jakub Kroustek who tweeted a link to the sample on VirusTotal.
Below we have outlined how this ransomware infects a computer, what happens when your files become encrypted, and how to protect yourself.
Unfortunately, there is no way to decrypt files infected with the Dharma Brrr Ransomware variant for free.
Distributed through hacked Remote Desktop Services
The Dharma Ransomware family, including this Brrr variant, is manually installed by attackers who hack into Remote Desktop Services connected directly to the Internet. These attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.
There are also underground sites that sell known credentials for publicly accessible computers running remote Remote Desktop Services that attackers can buy.
Once they gain access to the computer they will install the ransomware and let it encrypt the computer. If the attackers are able to encrypt other computers on the network, they will attempt to do that as well.
How the Brrr Dharma Ransomware Encrypts a computer
When the Brrr ransomware variant is installed on a computer, it will scan it for files and then encrypt them. When encrypting a file it will append an extension in the format of .id-[id].[email].brrr. For example, a file called test.jpg would be encrypted and renamed to test.jpg.id-BCBEF350.[firstname.lastname@example.org].brrr.
It should be noted that this ransomware will encrypt mapped network drives, shared virtual machine host drives, and unmapped network shares. Thus it is important to make sure your network’s shares are locked down so that only those who actually need access have permission.
You can see an example of a folder encrypted by the Brrr Ransomware variant below.
When encrypting files, the ransomware will create two different ransom notes on the infected the computer. One is the Info.hta file, which is launched by an autorun when a user logs into the computer. The HTML version of the ransom note can be seen below.
The other note is called FILES ENCRYPTED.txt and can be found on the desktop.