SamSam Ransomware Copycat Strain “Dharma” Rears Ugly Head

by Churchill Aribodor · August 20, 2018

A new variant of Dharma Ransomware has recently been discovered. The new version, described by researchers Michael Gillespie and Jakub Kroustek, attaches a [dot]cmb extension to encrypted files, hence its name: Dharma Cmb. There is at present no decryptor available for Dharma Cmb. The Dharma Ransomware family has generally been manually installed by attackers exploiting an RDP (Remote Desktop Protocol) service. They scan the Internet for computers running RDP and attempt to gain access through brute force password discovery.

Once they’ve succeeded, the attackers encrypt the initial victim machine and pivot through the network to do the same to other vulnerable devices. Dharma Cmb encrypts mapped network drives, shared virtual machine host drives, and unwrapped network shares. So you need to lock down network shares, allowing access only to users who need it. Once installed, Dharma Cmb starts automatically when Windows is initiated, encrypting any new files created since its installation.

Two different ransomware notes are created on infected machines. One, an INFO.HTA file, launches via autorun when a user logs on. The other, FILESENCRYPTED.txt is found on the desktop. Both contain instructions for payment.

Good safe computing habits and security software will protect users from Dharma and its variants. Be sure your network is properly locked down to prevent access through RDP. Having lockout policies in place makes it difficult to brute force entry remotely. Finally remember to practice good online security habits. These are some of the points an organization should make to its users through policy and regular, interactive awareness training:

Never open attachments to an email if you’re not confident you know the sender and expect the attachment. Confirm with the sender that they sent the file or link before you open or click.
Use security software that will scan attachments.
Keep Windows and other frequently-used software patched and up-to-date.
Use strong passwords with 20-25 characters, and never reuse the same password on multiple sites.
If you do use RDP, allow access only through a VPN

Stay secure