Cmb Dharma Ransomware
CMB is a variant of the well-known Dharma Ransomware family which appends a lengthy extension ending in ‘.cmb' to each encrypted file. The CMB Dharma Ransomware first came to light on Aug. 9, 2018, after a few samples of the cryptovirus showed up on ID Ransomware. A fully-working decryptor for CMB Dharma is not available to the general public at the moment.
Extortion is One Threat Actor's Idea of the 'Right Way of Living'
The Dharma Ransomware family is undergoing various updates, both technical and superficial, throughout the past months, but isn't struggling at procuring new victims. A new campaign from this group of file-locker Trojans is underway through the Cmb Dharma Ransomware, which uses a modernized tagging system for easing its ransoming process. Although malware experts haven't verified its distribution methods or operational regions, network admins using poor login choices are this Trojan's likeliest targets.
The first Dharma Ransomware, one of many RaaS or Ransomware-as-a-Service Trojans, brands itself with the name of a term referring to Indian spiritual beliefs in virtuous or harmonious lifestyle behavior. The Cmb Dharma Ransomware variant of 2018 doesn't conceal being a member of this family and loads a Web pop-up showing nearly identical ransoming instructions for Bitcoins automatically, with the only changes being in what address it promotes for the threat actor's technical support. However, it does employ a modern format for the filenames of any files that it locks: one that includes the e-mail address, an ID for the user, and a 'cmb' extension, in addition to any original text.
Following the ransom instructions should be left as a last resort in circumstances where there are no backups and all free decryption equivalents, such as the RakhniDecryptor application, are found inadequate. While malware experts caution that non-secure network shares are vulnerable to the Cmb Dharma Ransomware's file-locking attack equally, they still recommend password-protected cloud backups, along with portable devices, for any backup data preservation.
Infection
Similar to all previous generations of the Dharma Ransomware family, CMB requires manual installation on targeted PCs. To do this, the crooks behind CMB must gain access to those PCs in the first place, usually by taking advantage of Remote Desktop Protocol (RDP) services. That involves seeking out computers that are running Microsoft's proprietary RDP. Since the vast majority of Remote Desktop connections are carried out over TCP port 3389, the crooks can easily find targets by utilizing a basic open-source scanner such as nmap to search for PCs with an open TCP 3389 port. Following the detection of potential targets, the cybercriminals must next retrieve the login credentials of the users running the targeted machines. They initialize a brute-force attack, typically with the help of specialized software. Once in, there are no more obstacles left to the manual installation of CMB.
Encryption
When launched, CMB Dharma performs a thorough PC scan to determine the file types subject to encryption. This scan stretches across entire computer networks, hitting both local and shared storage drives regardless of whether or not they are mapped. The extension appended to each targeted file following encryption is quite a complex one and adheres to the following pattern:
[filename].id-[id].[email].cmb
At first sight, it may look rather confusing. On closer examination, however, we can see that:
- [filename] is the original file name including its original extension (e.g., Report.doc, Draft.txt., Photo 1.jpg, etc.)
- id is the identification number assigned to the infected machine
- [email] is the email address for contacting the crooks
.cmb is, in fact, the very last part of the appended extension which has given this Dharma variant its distinguishable name.
The encryption process ends with the generation of not one but two ransom notes dubbed "info.hta" and 'FILES ENCRYPTED.txt,' respectively. The former provides a fairly comprehensive account of the situation while the latter merely tells infected users that they have fallen victim to a ransomware attack.
How a Poorly-Chosen Password Turns into the Cmb Dharma Ransomware Infections
As of early August, malware researchers are verifying the Cmb Dharma Ransomware's live distribution as a fully-functional threat that's out of its testing stages. Although torrents, exploit kits and spam e-mails are traditional infection vectors for file-locker Trojans, this threat's family is notable for preferring RDP and brute-force attacks. These strategies use brute-force hacking software for correctly estimating the user and password combinations of a remote network, letting the criminal gain full access and install additional software at their discretion. Accordingly, all network admins should maintain a strict awareness of appropriate login security protocols and stay away from easy-to-guess logins like 'admin1' or 'password123.'
The existence of decryption freeware for the Cmb Dharma Ransomware's family doesn't imply that a flawless unlocking of your files is possible with modern members necessarily, including relatives like the '.combo File Extension' Ransomware, the '.bip File Extension' Ransomware or the 'wisperado@india.com' Ransomware. Any valuable work always should possess backups on other devices that file-locking Trojans can't attack after infecting a vulnerable PC. While having anti-malware solutions for removing the Cmb Dharma Ransomware is preferable for your PC's safety, security software can't block attacks by remote attackers who have 'legitimate' admin control.
Info.hta text:
All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc
Write this ID in the title of your message 1E857D00
In case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.
FILES ENCRYPTED.txt text:
all your data has been locked us
you want to return?
write email paymentbtc@firemail.cc
Based on the details mentioned above, it is clear that:
- the ransom amount must be paid in Bitcoin
- the required compensation is unknown
- victims will probably have to pay a higher ransom amount unless they contact the crooks within 24 hours
Post-Encryption Activity
You may conclude that the worst is behind you after CMB Dharma has finished encrypting your data. And you'd be wrong to do so because CMB will load during startup from now on and will keep on encrypting whatever new files you create on the infected drive or network. That is why, you must neutralize CMB Dharma first, even if that means letting all your encrypted data go. Once you have started anew, make sure to:
- regularly back up your data on external storage devices
- always keep up with software updates
- refrain from opening email attached files before letting your AV scanner check them
Finally, do NOT connect any RDP running computers directly to the Web and use a VPN instead.
Ransoms for the contents of a business's servers can run from hundreds to thousands of dollars in cryptocurrency. The Cmb Dharma Ransomware may not damage the operating system, but the harm done to one's personal or work data could be costly by anyone's standards.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.