GOLD ORION

CTU researchers track the financially motivated developers of the Dharma (also known as Crysis) ransomware as the GOLD ORION threat group. The Dharma ransomware has been in active use since at least 2016. In that time there have been several leaks of decryption keys, and in March 2019 the source code to Dharma was made available for sale on an underground forum. CTU researchers assess with moderate confidence that Dharma was the basis for the Phobos ransomware. Dharma variants are operated by numerous, typically less skilled cybercriminals, who deploy the ransomware to single or small numbers of hosts using brute force or stolen credentials for internet-accessible Remote Desktop Protocol connections that use single factor authentication. Because of the simplistic nature of these attacks, they typically progress much faster than post-intrusion ransomware attacks - hours rather than days - but also cause less disruption. It is not common for Dharma operators to exfiltrate data from compromised hosts or to operate 'name-and-shame' leak tactics as additional leverage. It is important to note that GOLD ORION describes the developers of Dharma, not the behaviors of any one specific operator of the ransomware.