[BreachExchange] New Variant of Dharma Ransomware Discovered

Destry Winant destry at riskbasedsecurity.com
Mon Aug 13 08:16:30 EDT 2018


https://latesthackingnews.com/2018/08/13/new-variant-of-dharma-ransomware-discovered/

Once again, the infamous Dharma ransomware appears all set to begin a
massive infection campaign. It comes back as a new Dharma ransomware
variant that encrypts data files with a different file extension. The
malware, after entering the system, now encrypts all files with a .cmb
extension.

New Dharma Ransomware Variant Flaunts .cmb Encryption

Researcher Michael Gillespie first discovered the new Dharma
ransomware variant after stumbling upon some samples uploaded on ID
Ransomware.

Reportedly, the Dharma ransomware is back in the form of a new variant
that encrypts all data files with .cmb extension. The attacker
accesses a computer via a spam email, or over RDP via TCP port 3389.
After that, it installs the malware into the target system, which then
begins encrypting all the files with .cmb extension.

According to Bleeping Computer, the malware typically follows the
format “.id-[id].[email].cmb” to add as the extension following the
actual file name. Whereas, the [email] indicates the attacker’s email
address on which the victim should approach the attacker.

Explaining the severity of this malware, Bleeping Computer stated,
“This ransomware will encrypt mapped network drives, shared virtual
machine host drives, and unmapped network shares. So it is important
to make sure your network’s shares are locked down so that only those
who actually need access have permission.”

After encrypting the files, the ransomware then displays ransom notes
at two different locations. One of them is an Info.hta file that pops
up after the user login. Whereas the next ransom note is kept as a
.txt file on the desktop.

Besides encryption, the malware also configures itself to start
automatically to ensure newly created files are also encrypted with
every new session.

Ransomware Variants Keep Appearing

Earlier, we have seen several malware bots and ransomware reappearing
with more robust and upgraded features. As these malware keep
evolving, the only possible way to protect oneself from such attacks
is to ensure all software is kept up to date, appropriate
antivirus/antimalware protections are in place, secure practices are
utilised and the number one, ensure important data is BACKED UP.


More information about the BreachExchange mailing list