Once again, the infamous Dharma ransomware appears all set to begin a massive infection campaign. It comes back as a new Dharma ransomware variant that encrypts data files with a different file extension. The malware, after entering the system, now encrypts all files with a .cmb extension.
New Dharma Ransomware Variant Flaunts .cmb Encryption
Researcher Michael Gillespie first discovered the new Dharma ransomware variant after stumbling upon some samples uploaded on ID Ransomware.
— Michael Gillespie (@demonslay335) August 9, 2018
Reportedly, the Dharma ransomware is back in the form of a new variant that encrypts all data files with .cmb extension. The attacker accesses a computer via a spam email, or over RDP via TCP port 3389. After that, it installs the malware into the target system, which then begins encrypting all the files with .cmb extension.
According to Bleeping Computer, the malware typically follows the format “.id-[id].[email].cmb” to add as the extension following the actual file name. Whereas, the [email] indicates the attacker’s email address on which the victim should approach the attacker.
Explaining the severity of this malware, Bleeping Computer stated,
“This ransomware will encrypt mapped network drives, shared virtual machine host drives, and unmapped network shares. So it is important to make sure your network’s shares are locked down so that only those who actually need access have permission.”
After encrypting the files, the ransomware then displays ransom notes at two different locations. One of them is an Info.hta file that pops up after the user login. Whereas the next ransom note is kept as a .txt file on the desktop.
Besides encryption, the malware also configures itself to start automatically to ensure newly created files are also encrypted with every new session.
Ransomware Variants Keep Appearing
Earlier, we have seen several malware bots and ransomware reappearing with more robust and upgraded features. As these malware keep evolving, the only possible way to protect oneself from such attacks is to ensure all software is kept up to date, appropriate antivirus/antimalware protections are in place, secure practices are utilised and the number one, ensure important data is BACKED UP.
UPDATE from a source who has been affected
LHN have been contacted since the writing of this article from a school that has been affected by a similar issue, they went on to say:
They got into my school camera network (NVR) (we suspect through an RDP port) three days ago and encrypted all of its files with a .combo extension. Looking at Avast.com, we thought it was the Globe variety of Ransomware because of the similarity of the ‘error’ message, but (I think it was our IT security contractor, but it could have been the internet) that told us it was a dharma variant of the CrySiS variety. All files were renamed/encrypted with the same naming scheme you wrote in the article. We’re planning on wiping the computers and resetting them.