A new variant of the Dharma ransomware has been discovered, where a .cmb extension is appended to encrypted drives. The LogPoint SIEM solution will help fight off ransomware attacks by detecting the threat in its early stages.

Dharma ransomware attacks are carried out by malicious actors scanning devices running remote desktop protocol services (RDP), primarily TCP port 3389, and by brute forcing the password to a device. The ransomware is then installed manually by the attacker and configured to execute automatically when the user logs in to Windows, encrypting files created subsequently to the last execution.  

Once a device is infected, files are encrypted and a .cmb extension is appended following the format “[original file name].id-[id].[email].cmb”, where [email] is the attacker’s email address which the victim is urged to contact, to recover encrypted data.

The updated LogPoint generic malware threat detection application provides you with a comprehensive package to detect any malware infection in just a few simple steps. The list of updated IoCs required to run the application follows.

List Name Values
1 MALWARE_HASH List of all hash values of malicious files and applications
2 MALWARE_FILE List of all malicious files and applications
3 MALWARE_EMAIL List of all email addresses of known attacker
4 MALWARE_IP List of all malicious ip addresses
5 MALWARE_URL List of all malicious urls

This version of the application detects the following malware:

  • Dharma ransomware
  • Oilrig OopsIE malware and SpyNote mobile malware
  • DarkHydrus
  • APT-C-23 and Micropsia
  • QUADAGENT
  • EmissaryPanda
  • Oilrig – DMI Connect
  • PRB-Backdoor and its connection to Oilrig
  • myetherwallet impersonations
  • “SilentLibrarian” (Iranian threat actor Mabna Institute)
  • Arid Viper
  • Malicious Invoice of Telcel Mexican Telecommunication Company

Log Source Requirements:

  • Windows Server/Integrity Scanner
    • Detects malicious file installation and malware infected hosts
  • Mail Server
    • Detects any emails sent to malicious addresses
  • Firewall
    • Detects connection to and from malicious listed sources
  • Web Server/Proxy/Firewall
    • Detects connection to malicious domains and URLs