A new variant of the Dharma ransomware has been discovered, where a .cmb extension is appended to encrypted drives. The LogPoint SIEM solution will help fight off ransomware attacks by detecting the threat in its early stages.
Dharma ransomware attacks are carried out by malicious actors scanning devices running remote desktop protocol services (RDP), primarily TCP port 3389, and by brute forcing the password to a device. The ransomware is then installed manually by the attacker and configured to execute automatically when the user logs in to Windows, encrypting files created subsequently to the last execution.
Once a device is infected, files are encrypted and a .cmb extension is appended following the format “[original file name].id-[id].[email].cmb”, where [email] is the attacker’s email address which the victim is urged to contact, to recover encrypted data.
The updated LogPoint generic malware threat detection application provides you with a comprehensive package to detect any malware infection in just a few simple steps. The list of updated IoCs required to run the application follows.
| List Name | Values | |
|---|---|---|
| 1 | MALWARE_HASH | List of all hash values of malicious files and applications |
| 2 | MALWARE_FILE | List of all malicious files and applications |
| 3 | MALWARE_EMAIL | List of all email addresses of known attacker |
| 4 | MALWARE_IP | List of all malicious ip addresses |
| 5 | MALWARE_URL | List of all malicious urls |
This version of the application detects the following malware:
Log Source Requirements: