Dharma ransomware has been around for a long time and has had many variations. One of the newest variations, ".combo", began appearing in late July 2018, just a few months after a free decryptor had been released for older strains of the virus. Other recent variations have the file extension ".bip" and ".bmp". Despite minor differences, most variations of Dharma ransomware function the same.
When Dharma .combo ransomware infects your network, all of your encrypted files will have a new file extension appended to them to show that they have been encrypted. The file extension follows this format:
.id-id with 8 random hexadecimal characters.[attacker email].combo
The most common way Dharma .combo ransomware spreads is by taking advantage of open or insufficiently-secured RDP (Remote Desktop Protocol) ports. RDP allows a user to connect to another computer over a network connection, making it a very useful tool for businesses and other organizations. However, if IT security best practices are not followed and your organization's RDP ports are exposed to the wider Internet or are protected by weak passwords or no password at all, cybercriminals can slip in to plant ransomware--and do much, much more.
Cyber criminals will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force passwords until they get in, or purchase the credentials from sites on the dark web. They can also use social engineering and spearphishing to trick legitimate users into handing over their access credentials.
In addition to the host computer, some Dharma variants will also encrypt mapped network drives, shared virtual machine host drives, and unmapped network shares as well, so there is a high chance the encryption can affect other machines on your network, including servers and backup systems, making recovery even harder.
all your data has been locked us
You want to return?
write email to firstname.lastname@example.org
Decryptor keys for older versions of Dharma were released in March 2018. However, these decryption tools do not work for newer strains of Dharma, such as the ".combo" variant. For strains of Dharma developed after March 2018, there is no known method to decrypt encrypted files without paying the ransom and obtaining the private RSA keys from the distributor.
The only way to restore your encrypted files outside of paying the ransom is to clean the ransomware off your computer and restore from a backup. Since some Dharma strains like .combo are known to encrypt network drives and other shares, your backups should be kept offline to prevent them from becoming encrypted as well.
In addition to RDP ports, Dharma .combo ransomware and other new variants can also spread through malicious email attachments in spam emails or spearphishing campaigns. These email attachments are usually Word documents with macros which will drop malicious payloads upon being opened. This is such a common way to distribute malware that recent versions of Microsoft Office disable macros by default. Macros should only ever by enabled in Microsoft Office documents if you are utterly sure of the sender's legitimacy.
When your organization becomes infected by ransomware through unsecured RDP or VPN ports or other security holes, the encryption of your critical data is almost always only the tip of the iceberg. It is both possible and likely that the criminal in question has been lurking on your network for weeks or even months before releasing the ransomware to cover their tracks and obfuscate their true intentions. Therefore, if you find yourself the victim of Dharma .combo ransomware, it is likely you have also been a victim of a data breach. Finding expert data breach investigators to get to the bottom of your situation as soon as possible should be your top priority.