Home Malware Programs Ransomware Cmb Dharma Ransomware

Cmb Dharma Ransomware

Posted: August 13, 2018

CMB is a variant of the well-known Dharma Ransomware family which appends a lengthy extension ending in ‘.cmb' to each encrypted file. The CMB Dharma Ransomware first came to light on Aug. 9, 2018, after a few samples of the cryptovirus showed up on ID Ransomware. A fully-working decryptor for CMB Dharma is not available to the general public at the moment.

Extortion is One Threat Actor's Idea of the 'Right Way of Living'

The Dharma Ransomware family is undergoing various updates, both technical and superficial, throughout the past months, but isn't struggling at procuring new victims. A new campaign from this group of file-locker Trojans is underway through the Cmb Dharma Ransomware, which uses a modernized tagging system for easing its ransoming process. Although malware experts haven't verified its distribution methods or operational regions, network admins using poor login choices are this Trojan's likeliest targets.

The first Dharma Ransomware, one of many RaaS or Ransomware-as-a-Service Trojans, brands itself with the name of a term referring to Indian spiritual beliefs in virtuous or harmonious lifestyle behavior. The Cmb Dharma Ransomware variant of 2018 doesn't conceal being a member of this family and loads a Web pop-up showing nearly identical ransoming instructions for Bitcoins automatically, with the only changes being in what address it promotes for the threat actor's technical support. However, it does employ a modern format for the filenames of any files that it locks: one that includes the e-mail address, an ID for the user, and a 'cmb' extension, in addition to any original text.

Following the ransom instructions should be left as a last resort in circumstances where there are no backups and all free decryption equivalents, such as the RakhniDecryptor application, are found inadequate. While malware experts caution that non-secure network shares are vulnerable to the Cmb Dharma Ransomware's file-locking attack equally, they still recommend password-protected cloud backups, along with portable devices, for any backup data preservation.

Infection

Similar to all previous generations of the Dharma Ransomware family, CMB requires manual installation on targeted PCs. To do this, the crooks behind CMB must gain access to those PCs in the first place, usually by taking advantage of Remote Desktop Protocol (RDP) services. That involves seeking out computers that are running Microsoft's proprietary RDP. Since the vast majority of Remote Desktop connections are carried out over TCP port 3389, the crooks can easily find targets by utilizing a basic open-source scanner such as nmap to search for PCs with an open TCP 3389 port. Following the detection of potential targets, the cybercriminals must next retrieve the login credentials of the users running the targeted machines. They initialize a brute-force attack, typically with the help of specialized software. Once in, there are no more obstacles left to the manual installation of CMB.

Encryption

When launched, CMB Dharma performs a thorough PC scan to determine the file types subject to encryption. This scan stretches across entire computer networks, hitting both local and shared storage drives regardless of whether or not they are mapped. The extension appended to each targeted file following encryption is quite a complex one and adheres to the following pattern:

[filename].id-[id].[email].cmb

At first sight, it may look rather confusing. On closer examination, however, we can see that:

  • [filename] is the original file name including its original extension (e.g., Report.doc, Draft.txt., Photo 1.jpg, etc.)
  • id is the identification number assigned to the infected machine
  • [email] is the email address for contacting the crooks

.cmb is, in fact, the very last part of the appended extension which has given this Dharma variant its distinguishable name.

The encryption process ends with the generation of not one but two ransom notes dubbed "info.hta" and 'FILES ENCRYPTED.txt,' respectively. The former provides a fairly comprehensive account of the situation while the latter merely tells infected users that they have fallen victim to a ransomware attack.

How a Poorly-Chosen Password Turns into the Cmb Dharma Ransomware Infections

As of early August, malware researchers are verifying the Cmb Dharma Ransomware's live distribution as a fully-functional threat that's out of its testing stages. Although torrents, exploit kits and spam e-mails are traditional infection vectors for file-locker Trojans, this threat's family is notable for preferring RDP and brute-force attacks. These strategies use brute-force hacking software for correctly estimating the user and password combinations of a remote network, letting the criminal gain full access and install additional software at their discretion. Accordingly, all network admins should maintain a strict awareness of appropriate login security protocols and stay away from easy-to-guess logins like 'admin1' or 'password123.'

The existence of decryption freeware for the Cmb Dharma Ransomware's family doesn't imply that a flawless unlocking of your files is possible with modern members necessarily, including relatives like the '.combo File Extension' Ransomware, the '.bip File Extension' Ransomware or the 'wisperado@india.com' Ransomware. Any valuable work always should possess backups on other devices that file-locking Trojans can't attack after infecting a vulnerable PC. While having anti-malware solutions for removing the Cmb Dharma Ransomware is preferable for your PC's safety, security software can't block attacks by remote attackers who have 'legitimate' admin control.

Info.hta text:

All your files have been encrypted!
All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paymentbtc@firemail.cc
Write this ID in the title of your message 1E857D00
In case of no answer in 24 hours write us to theese e-mails:paymentbtc@firemail.cc
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

FILES ENCRYPTED.txt text:

all your data has been locked us
you want to return?
write email paymentbtc@firemail.cc

Based on the details mentioned above, it is clear that:

  • the ransom amount must be paid in Bitcoin
  • the required compensation is unknown
  • victims will probably have to pay a higher ransom amount unless they contact the crooks within 24 hours

Post-Encryption Activity

You may conclude that the worst is behind you after CMB Dharma has finished encrypting your data. And you'd be wrong to do so because CMB will load during startup from now on and will keep on encrypting whatever new files you create on the infected drive or network. That is why, you must neutralize CMB Dharma first, even if that means letting all your encrypted data go. Once you have started anew, make sure to:

  • regularly back up your data on external storage devices
  • always keep up with software updates
  • refrain from opening email attached files before letting your AV scanner check them

Finally, do NOT connect any RDP running computers directly to the Web and use a VPN instead.

Ransoms for the contents of a business's servers can run from hundreds to thousands of dollars in cryptocurrency. The Cmb Dharma Ransomware may not damage the operating system, but the harm done to one's personal or work data could be costly by anyone's standards.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Cmb Dharma Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

* See Free Trial offer below. EULA and Privacy/Cookie Policy.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

SpyHunter Free Trial: Important Terms & Conditions

The SpyHunter Trial version includes, for one device, a one-time 7-day Trial period for SpyHunter 5 Pro (Windows) or SpyHunter for Mac, offering comprehensive malware detection and removal functionality, high-performance guards to actively protect your system from malware threats, and access to our technical support team via the SpyHunter HelpDesk (or the number of devices set forth in the promotional materials/purchase page). You will not be charged upfront during the Trial period, although a credit card is required to activate the Trial. (Prepaid credit cards, debit cards, and gift cards are not accepted under this offer.) The requirement for your payment method is to help ensure continuous, uninterrupted security protection during your transition from a Trial to a paid subscription should you decide to purchase. Your payment method will not be charged a payment amount upfront during the Trial, although authorization requests may be sent to your financial institution to verify that your payment method is valid (such authorization submissions are not requests for charges or fees by EnigmaSoft but, depending upon your payment method and/or your financial institution, may reflect on your account availability). You can cancel your Trial by contacting EnigmaSoft no later than two business days before the 7-day Trial period expires to avoid a charge coming due and being processed immediately after your Trial expires. If you decide to cancel during your Trial, you will immediately lose access to SpyHunter. If, for any reason, you believe a charge was processed that you did not wish to make (which could occur based on system administration, for example), you may also cancel and receive a full refund for the charge any time within 30 days of the date of the purchase charge. See FAQs.

At the end of the Trial, you will be billed upfront immediately at the price and for the subscription period as set forth in the offering materials and registration/purchase page terms (which are incorporated herein by reference; pricing may vary by country or promotion per purchase page details) if you have not timely canceled. Pricing typically starts at $72 for 3 months (SpyHunter Pro Windows) and $42 for 3 months (SpyHunter for Mac). Your purchased subscription will be automatically renewed in accordance with the registration/purchase page terms, which provide for automatic renewals at the then applicable standard subscription fee in effect at the time of your original purchase and for the same subscription time period or as set forth in the promotion materials/purchase page, provided you’re a continuous, uninterrupted subscription user. Please see the purchase page for details. Trial subject to these Terms, your agreement to EULA/TOS, Privacy/Cookie Policy, and Discount Terms. If you wish to uninstall SpyHunter, learn how.

For payment on the automatic renewal of your subscription, an email reminder will be sent to the email address you provided when you registered before each payment date. At the onset of your trial, you will receive an activation code that is limited to use for only one Trial and for only one device per account. Your subscription will automatically renew at the price and for the subscription period in accordance with the offering materials and registration/purchase page terms (which are incorporated herein by reference; pricing may vary by country or promotion per purchase page details), provided that you are a continuous, uninterrupted subscription user. For paid subscription users, if you cancel, you will continue to have access to your product(s) until the end of your paid subscription period. If you wish to receive a refund for your then current subscription period, you must cancel and apply for a refund within 30 days of your most recent purchase, and you will immediately stop receiving full functionality when your refund is processed.

For CALIFORNIA CONSUMERS, please see the notice provisions:

NOTICE TO CALIFORNIA CONSUMERS: Per the California Automatic Renewal Law, you may cancel a subscription as follows:

  1. Go to www.enigmasoftware.com and click the "Login" button at the top right corner.
  2. Log in with your username and password.
  3. In the navigation menu, go to "Order/Licenses." Next to your order/license, a button is available to cancel your subscription if applicable. Note: If you have multiple orders/products, you will need to cancel them on an individual basis.

Should you have any questions or problems, you can contact our EnigmaSoft support team by phone at +1 (888) 360-0646 (USA Toll-Free) / +353 76 680 3523 (Ireland/International) or by email at support@enigmasoftware.com.

How do you cancel a SpyHunter Trial? Users should contact EnigmaSoft Limited directly to cancel a SpyHunter Trial. Users can contact our technical support team by emailing support@enigmasoftware.com, opening a ticket in the SpyHunter HelpDesk, or calling +1 (888) 360-0646 (USA) / +353 76 680 3523 (Ireland/International). You can access the SpyHunter HelpDesk from SpyHunter's main screen. To open a support ticket, click on the "HelpDesk" icon. In the window that appears, click the "New Ticket" tab. Fill out the form and click the "Submit" button. If you are unsure of what "Problem Type" to select, please choose the "General Questions" option. Our support agents will promptly process your request and respond to you.

------

SpyHunter Purchase Details

You also have the choice of subscribing to SpyHunter immediately for full functionality, including malware removal and access to our support department via our HelpDesk, typically starting at $42 for 3 months (SpyHunter Basic Windows) and $42 for 3 months (SpyHunter for Mac) in accordance with the offering materials and registration/purchase page terms (which are incorporated herein by reference; pricing may vary by country or promotion per purchase page details). Your subscription will automatically renew at the then applicable standard subscription fee in effect at the time of your original purchase subscription and for the same subscription time period or as set forth in the promotion materials/purchase page, provided you’re a continuous, uninterrupted subscription user and for which you will receive a notice of upcoming charges before the expiration of your subscription. Purchase of SpyHunter is subject to the terms and conditions on the purchase page, EULA/TOS, Privacy/Cookie Policy and Discount Terms.

------

General Terms

Any purchase for SpyHunter under a discounted price is valid for the offered discounted subscription term. After that, the then applicable standard pricing will apply for automatic renewals and/or future purchases. Pricing is subject to change, although we will notify you in advance of price changes.

All SpyHunter versions are subject to your agreeing to our EULA/TOS, Privacy/Cookie Policy, and Discount Terms. Please also see our FAQs and Threat Assessment Criteria. If you wish to uninstall SpyHunter, learn how.

Spywareremove.com uses cookies to provide you with a better browsing experience and analyze how users navigate and utilize the Site. By using this Site or clicking on "OK", you consent to the use of cookies. Learn more.