https://twitter.com/demonslay335/status/1027649502491160577
- demonslay335
Reportedly, the Dharma ransomware is back in the form of a new variant that encrypts all data files with .cmb extension. The attacker accesses a computer via a spam email, or over RDP via TCP port 3389. After that, it installs the malware into the target system, which then begins encrypting all the files with .cmb extension.
According to Bleeping Computer, the malware typically follows the format “.id-[id].[email].cmb” to add as the extension following the actual file name. Whereas, the [email] indicates the attacker’s email address on which the victim should approach the attacker.
Explaining the severity of this malware, Bleeping Computer stated,
“This ransomware will encrypt mapped network drives, shared virtual machine host drives, and unmapped network shares. So it is important to make sure your network's shares are locked down so that only those who actually need access have permission.”After encrypting the files, the ransomware then displays ransom notes at two different locations. One of them is an Info.hta file that pops up after the user login. Whereas the next ransom note is kept as a .txt file on the desktop.
Besides encryption, the malware also configures itself to start automatically to ensure newly created files are also encrypted with every new session.
