Threat Database Ransomware Cmb Dharma Ransomware

Cmb Dharma Ransomware

By GoldSparrow in Ransomware

Cmb Dharma Ransomware is a malware threat that encrypts files on infected computers and demands a ransom in the form of Bitcoins in exchange for a decryption key. It is the latest addition to the infamous Dharma Ransomware family that has been detected for the first time back in 2016 and has occurred in many different versions since that time. Researchers identified the Cmb Dharma Ransomware variant in August this year, yet by now there is no free decryption tool for this particular cryptovirus. In any case, however, victims of this ransomware are advised never to pay the required ransom as the cybercriminals behind this malware typically do not send a decryption key as promised, but simply ignore the user even after receiving the requested amount of money.

Cmb Dharma Ransomware Typically Spreads Through RDPs

Latest research shows that cybercriminals usually spread Cmb Dharma Ransomware through poorly protected Remote Desktop Protocols (RDPs), whereby the typical targets are computers belonging to large corporate networks and web servers. Remote Desktop Protocols are protocols developed by Microsoft and used for the communication between two computers over a network. For that purpose, one of the computers must use RDP client software, whereas the other employs RDP server software. RDP servers are built within the Windows operating system and, by default, they listen on Transmission Control Protocol (TCP) port 3389 and User Datagram Protocol (UDP) port 3389. Therefore, Cmb Dharma Ransomware is typically introduced into the target system through these particular ports. Hackers scan the Internet to find computers running RDPs, and whenever they find a suitable target, they acquire unauthorized access to the system and install manually the ransomware on it through the vulnerable ports. Then, the malware executes the next time the user logs in to Windows. Other systems and devices connected to the same network are at risk as well.

Some ransomware variants from the Dharma family have also been distributed through spam email campaigns with the malware being embedded into attached files. The malicious ransomware scripts can also hide in various freeware, torrent files, fake software updates, or corrupted web pages, so users who wish to protect their PC should develop safe browsing habits and avoid downloading suspicious files and programs.

Cmb Dharma Follows the Well-Known Routine of the Dharma Ransomware Family

The ransomware engine employed by Cmb Dharma contains several modules, and the different components can be individually configured to perform specific actions in each attack. The common behavioral pattern observed in previous variants of the Dharma ransomware family shows that a typical attack would begin with the launch of a data harvesting module that will search for specific strings and then group these into two main categories: data strings that concern the identity of the user (like name, address, phone number, location, any stored login credentials, and so on); and anonymous data strings which helps the malware to optimize the attack (like a list of installed software and hardware components). The collected information serves then another component known as stealth protection - that module scans the infected system for the presence of any applications that could prevent the proper execution of the Dharma virus. Due to this last module, this ransomware family can escape detection by anti-malware applications, as well as avoid virtual machine hosts and sandbox environments.

The next step in the operational routine of a Dharma ransomware threat is to undertake changes in the Windows registry in order to secure its persistence and to be able to encrypt new files created after the last execution of the malware. The ransomware's actions in that regard include modifying the boot options so that the malicious engine is started each time the infected computer boots, while the access to the boot recovery menu is disabled as well. This advanced malware threat can also be programmed to erase all Backup Data and Shadow Volume Copies through the "vssadmin delete shadows /all /quiet" command,  which makes the recovery of the encrypted files very complicated. Finally, Cmb Dharma malware can be configured to install additional threats on infected hosts, like dangerous real-time spying tools and other types of Trojans. All these modifications which Cmb Dharma makes in the system settings interfere with the proper functioning of legitimate existing programs or cause overall sluggish performance of the entire operating system.

Files Are Locked with a Strong Encryption Algorithm

After all other components have finished their execution, Cmb Dharma starts the encryption process by first of all deciding which files to encrypt, whereby it scans all potential targets against a built-in list of file types suitable for encryption. It is interesting that this type of ransomware specifically targets user-generated files to attack, including databases, archives, and all kinds of other documents in the most common file formats. The ransomware will also encrypt shared virtual machine host files, mapped network drives, and unmapped network shares, so users should ensure that their network shares are locked down, and only the ones that actually need access have permission. Affected files can be easily recognized as the malware appends the ".cmb" extension to each encrypted file, along with an "id" string that is individually assigned to each victim and a contact email address. The extension of a file locked up by Cmb Dharma Ransomware can look like this: ".id-[Victim's ID] [].cmb". Once the files are locked, the user has absolutely no chance to recover them without the decryption key, which, however, the cyber crooks typically keep only for themselves even if the victim sends them the required amount of ransom. Usually, a professional removal tool is necessary to clean a computer infected with Cmb Dharma as all its malicious files, registry entries, and processes need to be identified and deleted, while the locked up data can only be recovered from file backups stored on separate offline devices.

The ransomware creates two different ransom notes. The first one is an Info.hta file which opens as a pop-up window with each boot, the second one is a text file named "FILES ENCRYPTED.txt" which can be found on the desktop and which is also placed in every existing folder. Both ransom notes contain the message "All your files have been encrypted," along with instructions on how to contact the owners of the ransomware and which email address should be used to send the Bitcoins for the payment of the ransom. The ransom note also contains information on how to buy Bitcoins. Furthermore, the hackers offer the victim to send them a file for free decryption, yet that file should not contain valuable information, i.e., it should not be a backup or a database file, or any other file larger than 1Mb.

It is still not clear whether Cmb Dharma Ransomware uses symmetric or asymmetric encryption, yet the researchers have found out that the malware generates a unique decryption key for each victim, meaning that the malware threat most likely implements a strong RSA or AES encryption algorithm. The attackers store all decryption keys on a remote server so that no one else can have access to them. The amount of the ransom in Bitcoins and depends on how quickly the victim decides to contact the hackers, increasing progressively with any delays. The cost may fluctuate between the equivalents of $500 and $1500 in Bitcoins, however, users should know that even if they decide to pay the ransom, chances are very high that the hackers ignore the payment and never send the promised decryption key.

The Infamous Dharma Strikes Again!

The Cmb Dharma Ransomware uses the AES encryption to make the victim's files inaccessible. The Cmb Dharma Ransomware will then add the file extension '.cmb,' as well as the string '.id' and a contact email address to each affected files' names. The Cmb Dharma Ransomware targets a variety of user-generated files in its attack, which may include numerous documents, databases, configuration files, archives, and many other file types. The following are examples of the files that threats like the Cmb Dharma Ransomware will target in these attacks:

.ebd, .jbc, .pst, .ost, .tib, .tbk, .bak, .bac, .abk, .as4, .asd, .ashbak, .backup, .bck, .bdb, .bk1, .bkc, .bkf, .bkp, .boe, .bpa, .bpd, .bup, .cmb, .fbf, .fbw, .fh, .ful, .gho, .ipd, .nb7, .nba, .nbd, .nbf, .nbi, .nbu, .nco, .oeb, .old, .qic, .sn1, .sn2, .sna, .spi, .stg, .uci, .win, .xbk, .iso, .htm, .html, .mht, .p7, .p7c, .pem, .sgn, .sec, .cer, .csr, .djvu, .der, .stl, .crt, .p7b, .pfx, .fb, .fb2, .tif, .tiff, .pdf, .doc, .docx, .docm, .rtf, .xls, .xlsx, .xlsm, .ppt, .pptx, .ppsx, .txt, .cdr, .jpe, .jpg, .jpeg, .png, .bmp, .jiff, .jpf, .ply, .pov, .raw, .cf, .cfn, .tbn, .xcf, .xof, .key, .eml, .tbb, .dwf, .egg, .fc2, .fcz, .fg, .fp3, .pab, .oab, .psd, .psb, .pcx, .dwg, .dws, .dxe, .zip, .zipx, .7z, .rar, .rev, .afp, .bfa, .bpk, .bsk, .enc, .rzk, .rzx, .sef, .shy, .snk, .accdb, .ldf, .accdc, .adp, .dbc, .dbx, .dbf, .dbt, .dxl, .edb, .eql, .mdb, .mxl, .mdf, .sql, .sqlite, .sqlite3, .sqlitedb, .kdb, .kdbx, .1cd, .dt, .erf, .lgp, .md, .epf, .efb, .eis, .efn, .emd, .emr, .end, .eog, .erb, .ebn, .ebb, .prefab, .jif, .wor, .csv, .msg, .msf, .kwm, .pwm, .ai, .eps, .abd, .repx, .oxps, .dot.

Unfortunately, once the victim's files are encrypted, they will not be recoverable without the decryption key, which the criminals hold in their possession. The Cmb Dharma Ransomware runs on the victim's computer as 'java.exe,' although variants in the Cmb Dharma Ransomware's family have been observed running under other legitimate sounding names. The Cmb Dharma Ransomware delivers a ransom note in the form of a text file that is dropped on the infected computer's desktop. This text file is named 'FILES ENCRYPTED.txt' and instructs the victim to contact the criminals via email to pay a ransom using Bitcoin.

Dealing with the Cmb Dharma Ransomware and Threats Like It

Unfortunately, when threats like the Cmb Dharma Ransomware attack a machine, its files can almost never be recovered without the decryption key, which the criminals hold in their possession. However, due to the intended high-profile targets of the Cmb Dharma Ransomware and similar threats, most victims of the Cmb Dharma Ransomware can recover from file backups and system images, which are common practice among server administrators. Individual computer users are less likely to have good backup procedures, however. It is important to ensure that you have backups of all your files and that these backups are stored on offline devices. This is because the best way to ensure that your data is fully protected from threats like the Cmb Dharma Ransomware is to have file backups of your data, which you can use to restore any files encrypted by the Cmb Dharma Ransomware in its attack.


Since Cmb Dharma ransomware is installed mainly through hacked Remote Desktop Services, it is very important to make sure that no computers running RDPs are connected directly to the Internet. Instead, they should be placed behind VPNs so that only users who have VPN accounts on the network can access them. Given the other common distribution methods of ransomware threats, it is obvious that users can also prevent the infection with Cmb Dharma ransomware by being cautious while serving on the Internet, downloading files or programs from third-party sources, or opening suspicious email attachments. It is recommended to download apps and their corresponding updates only from official sources. Installing a reliable anti-malware tool is another safe method of protection against ransomware while maintaining regular backups of all valuable data on an independent storage device or remote server makes the user less susceptible to blackmailing attempts from cybercriminals.


Most Viewed