HBM Ransomware is a New Dharma Clone Targeting Files to Encrypt


Researchers discovered a new ransomware variant that belongs to the Dharma family of clones. The new version is called the HBM ransomware.

HBM encrypts documents, media files, archives and databases on the victim system's drives. Once files are encrypted, they go through a name change.

The HMB ransomware appends the victim's ID code, the email used by the ransomware operator and the ".HBM" string to the names of encrypted files. This means a file originally called "archive.zip" will turn into "archive.zip.id-VICTIM ID.[hebem@cock.li].HBM".

The ransomware generated a file called "info.txt" that contains a shorter version of the ransom note. A different, longer version is displayed in a pop-up window and reads as follows:



Don't worry, you can return all your files!
If you want to restore them, write to the mail: hebem at cock dot li YOUR ID -
If you have not answered by mail within 12 hours, write to us by another mail:hebem at tuta dot io

We recommend you contact us directly to avoid overpaying agents

Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

November 30, 2022