Guide to Remove Dharma Cmb Ransomware
Once again infamous Dharma ransomware hits the headlines with its new variant. This new cmb extension variant of Dharma ransomware is all set to begin an immeasurable infection campaign.
This detrimental ransomware family was first discovered by Michael Gillespie when he noticed samples uploaded to ID Ransomware.
ID Ransomware is a website that enables victims identify the ransomware that has encrypted their files. The Identification is done with specialized techniques. This includes assessing:
- The ransom note that victims upload in the website.
- Modified file name patterns of the encrypted files
This cmb variant of Dharma ransomware encrypts the system files and appends the infected file name with .cmb extension. The entire format of the extension appears as .id-[id].[email].cmb.
For instance, a file called Happy.jpg after encryption would be renamed as Happy.jpg.id-BCBEF350.[[email protected]].cmb.
Once the system is infected user is informed about the encryption via 2 ransom notes. These are:
- Info.hta: This ransom note pops up as soon as user logs in the system.
- FILES ENCRYPTED.txt: This ransom note is placed on the desktop.
Both the notes inform users that there system files have been encrypted and contain the email contact details. Users are instructed to email at [email protected] to receive payment guide to get the decryption key.
Victims are recommended not to fall in the trap as once the payment is made they are ignored. Instead you are advised to undertake preventive measures to avoid the Dharma Cmb Ransomware invasion in the system.
How is Dharma Cmb Ransomware distributed?
Dharma Ransomware family including its cmb variant is distributed via Remote Desktop Protocol Services.
Remote Desktop Protocol is a communication protocol developed by Microsoft that allows two computers to be connected over a network connection. For Windows Operating system RDP server listens on TCP (Transmission Control Protocol) port 3389 and UDP (User Datagram Protocol) port 3389.
To infect the system with Dharma Ransomware family cyber miscreants scan the Internet for systems that are running RDP usually via TCP port 3389.
Once the system is identified, threat actors gain unauthorized access to the system and install this ransomware. Other systems present on the network are also targeted.
Once infiltrated this ransomware will configure system settings to achieve persistent installation. This allows the ransomware to encrypt newly created files since its last execution.
There is no way the encrypted files can be resorted. However we can follow some alternative measures to protect the system against Dharma Cmb Ransomware.
How to protect the system against Dharma Cmb Ransomware?
- To avoid unforeseen circumstances, users are recommended to maintain regular backups of their data on external Hard Drives, USB stick as well as virtual cloud services.
- As Dharma Cmb Ransomware is spread via Remote Desktop services, access to remote desktop should be allowed via VPN (Virtual Private Networks) so that those who hold VPN accounts can only access desktop remotely. This ensures that computers accessing remote desktop are devoid of direct Internet connection. Hence applications running across a VPN benefit from security and management of private networks.
- Accounts should be protected with strong passwords that are difficult to crack.
- Security software that implements behavioral detection to combat ransomware should be installed on systems.
- Users are advised not to open email attachments without checking email specs, especially when an email is delivered from suspicious sources.
- Old programs may contain some security loopholes that are exploited by cyber maniacs. So make sure that all the software installed in the system are up to date especially Adobe, Flash and Java applications.
Threat Summary
Name: Dharma Cmb Ransomware
Targeted Operating System: Windows
Category: Ransomware
Symptoms: User’s files are encrypted. All locked files are appended with “.cmb” extension after the encryption and hence cannot be accessed by the user.