This ransomware sneakily infects victims by disguising itself with antivirus software

[silversurfer]

A successful family of ransomware which has been terrorising organisations around the world has been updated with a new trick to lure victims into installing file-locking malware: posing as anti-virus software.
 
The group behind Dharma regularly look to update their campaigns in order to ensure the attacks remain effective and they have the best chance of extorting ransom payments in exchange of decrypting locked networks and files of Windows systems.
 
Now the cyber attacks have evolved again and cyber security researchers at Trend Micro have detailed a new means of the Dharma being deployed: by bundling it inside a fake anti-virus software installation.
 
Like many ransomware campaigns, Dharma attacks start off with phishing emails. The messages claim to be from Microsoft and that the victim's Windows PC is 'at risk' and 'corrupted' following 'unusual behaviour', urging the user to 'update and verify' their anti-virus by accessing a download link.

If the user follows through, the ransomware retrieves two downloads: the Dharma ransomware payload and an old version of anti-virus software from cyber security company ESET.

When the self-extracting archive runs, Dharma begins encrypting files in the back round while the user is asked to follow installation instructions for ESET AV remover – the interface is displayed on their desktop and requires user interaction during the installation process, acting as a distraction from the malicious activity.

Once the installation is complete, the victim will find themselves confronted with a ransom note, demanding a cryptocurrency payment in exchange for unlocking the files.

SOURCE: https://www.zdnet.com/article/this-ranso...-software/