Our current Support phone numbers for India will cease functioning as of October 31, 2023. Click here to find the new phone number

Sophos UTM: Decommissioning of obsolete URL categorization services CFFS.Click here for important info.

Sophos Endpoint

Discussions DBJammer Ransomware on SQL Servers - EDR Queries if any?

Sophos Endpoint requires membership for participation - click to join

Thread Info

State Not Answered
Replies 2 replies
Subscribers 11 subscribers
Views 586 views
Users 0 members are here

Options

Suggested

DBJammer Ransomware on SQL Servers - EDR Queries if any?

blueskies 17 days ago

06961063 / Detection for dbjammer Ransomware / ref:_00D301GN6a._5003Z1bh7RS:ref

https://www.securonix.com/blog/securonix-threat-labs-security-advisory-threat-actors-target-mssql-servers-in-dbjammer-to-deliver-freeworld-ransomware/ Securonix Threat Research team has identified threat actors targeting exposed Microsoft SQL (MSSQL) services using brute force attacks Ransomware called DB#JAMMER Is Sophos Endpoint and Server PRotection has the detection for this malware? CAn you share more details

0 Maxim-Sophos 17 days ago

I would not expect Intercept X to block brute-force logins to the SQL Server. This is best addressed with other methods: SQL Server security best practices, internal network segmentation, a WAF, etc.

As for the malicious behaviors after infiltration, I would think that Intercept X would be able to detect/block at least some of them via our behavioral engine and/or our anti-exploitation features. Many of these are process-independent, so they should trigger even if the source of the bad behavior is a SQL Server process.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 blueskies 16 days ago in reply to Maxim-Sophos

ok the detection of payload seems to be covered with “AppC/Ngrok-C“. Just was looking for ideas if anyone had everything put on query wrt to the payload IOCs etc.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel