Cmb RDP Ransomware
First observed in 2018, Cmb is a new variant of the Dharma ransomware family.
As with most Dharma variants, Cmb is delivered manually over Remote Desktop Protocol services (RDP). The attackers operating Cmb will scan for exposed RDP ports, typically TCP 3389, and attempt brute-force attacks to gain access to the affected device.
Once installed, Cmb will enumerate all local, network and virtual machine host drives before encrypting all non-system files on theses drives and appending them with a new extension.
When the Cmb ransomware variant is installed, it will scan a computer for files and encrypt them. When encrypting a file it will append an extension in the format of .id-[id].[email].cmb. For example, a file called test.jpg would be encrypted and renamed to test.jpg.id-BCBEF350.[[email protected]].cmb.
At the time of publication there is no known way the encrypted files can be resorted.
Indicators of Compromise
SHA256 File Hashes
- c2ab289cbd2573572c39cac3f234d77fdf769e48a1715a14feddaea8ae9d9702
Email Addresses
- paymentbtc@firemail[.]cc
Appended Extensions
- [filename].id-[id].[email].cmb
Remediation
If Remote Desktop Protocol (RDP) is not used, then ensure port 3389 (TCP/UDP) is blocked at your internet firewall. If RDP is used, then:
- Only allow access for authorised RDP users.
- Enforce strong password policies.
- Enforce multi-factor authentication.
- Don’t allow RDP access for privileged user accounts.
- Don’t use generic accounts.
- Set user accounts with an expiry date.
- Audit user accounts periodically.
- Only allow point-to-point connections from specific IP addresses where feasible.
- Ensure Transport Layer Security (TLS) is up-to-date.
- Log and monitor all RDP activity and investigate unusual behaviour.
- Consider only allowing RDP for authorised virtual private network (VPN) connections.
Additionally, if a device on your network becomes infected with ransomware it will begin encrypting local machine files and files on any network the logged-in user has permission to access. For system administration accounts this may include backup storage locations.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.