Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareRansomware

Dharma

Dharma is a ransomware family, including ransomware-as-a-service activity, that has been repeatedly cited alongside other major extortion operations. The provided content describes Dharma as one of the ransomware families historically appearing in top ransomware prevalence rankings and as a variant associated with re-extortion, where victims may be pressured for additional payments after an initial ransom event. Multiple sources in the content characterize Dharma as similar to Phobos, Makop, and Waiting, and note that these variants have been open to a broad range of threat actors. The content also characterizes Dharma as a low-level RaaS strain used in "spray and pray" attacks against smaller targets, and separately notes that Phobos and Dharma attacks were down about 37% year-to-date in 2023 versus the same period in 2022, with some affiliates reportedly shifting to 8base.

Based on the supporting material, Dharma campaigns have used legitimate, digitally signed administrative or troubleshooting tools to impair defenses prior to ransomware deployment. Seqrite-linked reporting in the content states that Dharma intrusions often begin with phishing emails or compromised credentials. Observed tooling in Dharma-associated campaigns includes IOBit Unlocker and Process Hacker to disable antivirus or other security software, PowerRun to obtain SYSTEM-level control, YDArk for kernel-level or elevated control, Mimikatz for credential theft, and Unlock_IT to erase logs and hinder forensic investigation. The content also explicitly states that IOBit Unlocker has been used in Dharma campaigns and that abuse of legitimate low-level tools has become a defining feature of campaigns involving Dharma and other ransomware families.

The content further links Dharma to broader law-enforcement activity. Ukraine's Cyber Police reportedly detained suspects in November 2022 involved in LockerGoga, MegaCortex, Hive, and Dharma ransomware attacks, and later investigations and arrests in Ukraine were again described as involving the Dharma ransomware family. Financially, the content includes reporting that a wallet received proceeds from Dharma, Conti, and BlackCat, indicating affiliate or operator overlap in the wider ransomware ecosystem. Payment-related reporting in the content describes Dharma as generally associated with smaller payments than major big-game-hunting strains, including one dataset listing Dharma average and median payments at very low levels and another noting Dharma among strains affecting very small businesses.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Impact

1 technique
T1486Data Encrypted for ImpactEvidence2

Fifth, operators of ransomware variants based on leaked source codes of notable ransomware brands widely adopted another pressure method: double ransom payments unless a victim pays a ransom within 24, 48, or 72 hours after a ransomware attack.

Other

2 techniques
T1562Impair DefensesEvidence4

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information.

T1562.001Disable or Modify ToolsEvidence3

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities... killing security software processes or services, modifying / deleting Registry keys or configuration files... Adversaries may also disable updates...

ACTIVITY FEED

Recent activity

19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

19 SOURCESView more in app
scworldNews
Apr 2, 2026
Ransomware attackers increasingly exploit legitimate IT tools, bypassing antivirus | brief | SC Media

Ransomware observed in campaigns that weaponize legitimate signed utilities to disable security tools and support ransomware execution.

Read more
hackreadNews
Apr 1, 2026
Ransomware Groups Exploit Legit IT Tools to Bypass Antivirus

Ransomware family mentioned as leveraging IOBit Unlocker in campaigns to aid attack execution.

Read more
cyber security newsNews
Mar 31, 2026
Hackers Weaponize Legitimate Windows Tools to Disable Antivirus Before Ransomware Attacks - Cyber Security News

Ransomware family listed among campaigns that neutralize defenses with legitimate tools before deploying encryption payloads.

Read more
recorded future blogNews
Oct 23, 2025
Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals

Ransomware family cited as a source of leaked code/builders used to spawn new variants.

Read more
+15 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.