Fight off CMB Dharma ransomware with guardsix

A new variant of the Dharma ransomware has been discovered, where a .cmb extension is appended to encrypted drives. The guardsix SIEM solution will help fight off ransomware attacks by detecting the threat in its early stages.

Dharma ransomware attacks are carried out by malicious actors scanning devices running remote desktop protocol services (RDP), primarily TCP port 3389, and by brute forcing the password to a device. The ransomware is then installed manually by the attacker and configured to execute automatically when the user logs in to Windows, encrypting files created subsequently to the last execution.  

Once a device is infected, files are encrypted and a .cmb extension is appended following the format “[original file name].id-[id].[email].cmb”, where [email] is the attacker’s email address which the victim is urged to contact, to recover encrypted data.

The updated guardsix generic malware threat detection application provides you with a comprehensive package to detect any malware infection in just a few simple steps. The list of updated IoCs required to run the application follows.

This version of the application detects the following malware:

• Dharma ransomware
• Oilrig OopsIE malware and SpyNote mobile malware
• DarkHydrus
• APT-C-23 and Micropsia
• QUADAGENT
• EmissaryPanda
• Oilrig – DMI Connect
• PRB-Backdoor and its connection to Oilrig
• myetherwallet impersonations
• “SilentLibrarian” (Iranian threat actor Mabna Institute)
• Arid Viper
• Malicious Invoice of Telcel Mexican Telecommunication Company

Log Source Requirements:

• Windows Server/Integrity Scanner
  • Detects malicious file installation and malware infected hosts
• Mail Server
  • Detects any emails sent to malicious addresses
• Firewall
  • Detects connection to and from malicious listed sources
• Web Server/Proxy/Firewall
  • Detects connection to malicious domains and URLs