CMD Ransomware Description
In these times, it is easy than ever to create data-locking Trojans. Even cyber crooks with little experience can build one if they borrow the code of already existing ransomware threats and only slightly tweak it. And this is what the creators of the newly uncovered CMD Ransomware have done.
Propagation and Encryption
Upon inspecting the CMD Ransomware, malware researchers concluded that this file-encrypting Trojan is a variant of the popular Dharma Ransomware. The propagation techniques involved in the spreading of the CMD Ransomware are not yet known. Some security experts believe that emails containing macro-laced attachments, fake software updates, and bogus pirated variants of popular applications may be among the infection vectors responsible for the propagation of the CMD Ransomware. When the CMD Ransomware compromises a PC, it will perform a brief scan. The scan located the files, which are of interest to this threat. Usually, cybercriminals that create ransomware threats make sure to target all the popular filetypes so that maximum damage would be ensured. After the completion of the scan, the CMD Ransomware will proceed to the next step of the attack – the encryption process. Once the CMD Ransomware encrypts a file, it will add a new extension at the end of the affected file's filename – '.id-
The Ransom Note
In the next stage of the attack, the CMD Ransomware will drop its ransom note. The name of the note is likely 'info.hta' and/or 'RETURN FILES.txt' and reads:
’All FILES ENCRYPTED “RSA1024”
All YOUR FILES HAVE BEEN ENCRYPTED!!! IF YOU WANT TO RESTORE THEM, WRITE US TO THE E-MAIL email@example.com
IN THE LETTER WRITE YOUR ID, YOUR ID
IF YOU ARE NOT ANSWERED, WRITE TO EMAIL: firstname.lastname@example.org
YOUR SECRET KEY WILL BE STORED ON A SERVER 7 DAYS, AFTER 7 DAYS IT MAY BE OVERWRITTEN BY OTHER KEYS, DON’T PULL TIME, WAITING YOUR EMAIL
FREE DECRYPTION FOR PROOF
You can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
When you make sure of decryption possibility transfer the money to our bitcoin wallet. As soon as we receive the money we will send you:
1. Decryption program.
2. Detailed instruction for decryption.
3. And individual keys for decrypting your files.
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.’
In the message, the attackers do not specify a sum regarding the ransom fee. However, they demand the user gets in touch with them via email so that they would receive further instructions on how to pay up the sum demanded. The email address provided is 'email@example.com.' The attackers are willing to unlock one file free of charge, provided that its size does not exceed 1MB. They also warn the user that if they do not get in touch within a week, it is likely that their decryption key will be wiped off permanently.
The CMD Ransomware was observed infecting machines by using Remote Desktop Services (RDP) ports. The attackers were scanning systems running RDP on TCP port 3389 and using brute force techniques to get the passwords to those targeted systems. Updated variants of this ransomware use ".[firstname.lastname@example.org].cmd" extension for encrypted files.
The CMD Ransomware uses an RSA-1024 encryption algorithm to block access to affected files. Victims may contact the attackers, and they are given a chance to decrypt one single file with a size of no more than 1MB. That is used as a lure and a sign of goodwill. Users are advised to avoid any interaction with the attackers.
Keep your distance from cyber crooks like the ones responsible for the CMD Ransomware. They will likely take your money gladly and leave you hanging as there is no guarantee they will ever provide you with the decryption key promised. A safer option is to look into obtaining a reputable anti-virus application and use it to remove the CMD Ransomware safely from your PC.
Do You Suspect Your PC May Be Infected with CMD Ransomware & Other Threats? Scan Your PC with SpyHunterSpyHunter is a powerful malware remediation and protection tool designed to help provide PC users with in-depth system security analysis, detection and removal of a wide range of threats like CMD Ransomware as well as a one-on-one tech support service. Download SpyHunter's FREE Malware Remover
Security Doesn't Let You Download SpyHunter or Access the Internet?Solutions: Your computer may have malware hiding in memory that prevents any program, including SpyHunter, from executing on your computer. Follow to download SpyHunter and gain access to the Internet:
- Use an alternative browser. Malware may disable your browser. If you're using IE, for example, and having problems downloading SpyHunter, you should open Firefox, Chrome or Safari browser instead.
- Use a removable media. Download SpyHunter on another clean computer, burn it to a USB flash drive, DVD/CD, or any preferred removable media, then install it on your infected computer and run SpyHunter's malware scanner.
- Start Windows in Safe Mode. If you can not access your Window's desktop, reboot your computer in "Safe Mode with Networking" and install SpyHunter in Safe Mode.
- IE Users: Disable proxy server for Internet Explorer to browse the web with Internet Explorer or update your anti-spyware program. Malware modifies your Windows settings to use a proxy server to prevent you from browsing the web with IE.