Cmb RDP Ransomware

First observed in 2018, Cmb is a new variant of the Dharma ransomware family.

As with most Dharma variants, Cmb is delivered manually over Remote Desktop Protocol services (RDP). The attackers operating Cmb will scan for exposed RDP ports, typically TCP 3389, and attempt brute-force attacks to gain access to the affected device.

Once installed, Cmb will enumerate all local, network and virtual machine host drives before encrypting all non-system files on theses drives and appending them with a new extension.

When the Cmb ransomware variant is installed, it will scan a computer for files and encrypt them. When encrypting a file it will append an extension in the format of .id-[id].[email].cmb. For example, a file called test.jpg would be encrypted and renamed to[[email protected]].cmb.

This ransom note appears as soon as user logs in the system

At the time of publication there is no known way the encrypted files can be resorted.

Indicators of Compromise

SHA256 File Hashes

  • c2ab289cbd2573572c39cac3f234d77fdf769e48a1715a14feddaea8ae9d9702

Email Addresses

Appended Extensions

  • [filename].id-[id].[email].cmb


If Remote Desktop Protocol (RDP) is not used, then ensure port 3389 (TCP/UDP) is blocked at your internet firewall. If RDP is used, then:

  • Only allow access for authorised RDP users.
  • Enforce strong password policies.
  • Enforce multi-factor authentication.
  • Don’t allow RDP access for privileged user accounts.
  • Don’t use generic accounts.
  • Set user accounts with an expiry date.
  • Audit user accounts periodically.
  • Only allow point-to-point connections from specific IP addresses where feasible.
  • Ensure Transport Layer Security (TLS) is up-to-date.
  • Log and monitor all RDP activity and investigate unusual behaviour.
  • Consider only allowing RDP for authorised virtual private network (VPN) connections.

Additionally, if a device on your network becomes infected with ransomware it will begin encrypting local machine files and files on any network the logged-in user has permission to access. For system administration accounts this may include backup storage locations.

Duncan Newell

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: