Advancing the infection method, or the coding within the ransomware itself is not new news. It’s a necessity if hackers want to continue infecting victims. However, using a legitimate antivirus tool to trick users into installing the ransomware, takes it to the next level.
Hackers Exploit ESET Removal Tool
According to security researchers, the creators of Dharma ransomware, the variant that has infected victims around the globe since 2016, has tied the installation of its ransomware to an antivirus removal tool. The infection begins with a malicious email, claiming to be from Microsoft. The message states the victim’s PC is at risk following some unusual behavior. Due to the potential “corruption”, the victim is urged to “update and verify” their antivirus. Of course, in order to do so, they must click on the download (malicious) link.
If the victim opts to click on the link, two files begin to execute. One is the ransomware variant, Dharma. This begins encrypting the files on the PC, while the other file, the ESET antivirus removal tool, also begins to install. Although outdated, the antivirus removal tool is a legitimate version and requires the user to follow prompts to complete the installation process. The goal is for users to be focused on the installation of this tool, and distract them from the other malicious activity taking place on the PC.
Once Dharma has encrypted the files, a ransom note will populate demanding payment in order for the victim to retrieve a decryption key.
To avoid falling victim, users are encouraged to do the following:
- Due diligence
- Review the email — Do you know the sender? Are you expecting the email? Are there typos?
- Deploy a security solution that uses application whitelisting. This will only permit, known-trusted files to execute.
- Ensure all programs and operating systems are updated. This will ensure any known security gaps, which hackers may attempt to exploit, are patched.