This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DBJammer Ransomware on SQL Servers - EDR Queries if any?

06961063 / Detection for dbjammer Ransomware / ref:_00D301GN6a._5003Z1bh7RS:ref

https://www.securonix.com/blog/securonix-threat-labs-security-advisory-threat-actors-target-mssql-servers-in-dbjammer-to-deliver-freeworld-ransomware/ Securonix Threat Research team has identified threat actors targeting exposed Microsoft SQL (MSSQL) services using brute force attacks Ransomware called DB#JAMMER Is Sophos Endpoint and Server PRotection has the detection for this malware? CAn you share more details



This thread was automatically locked due to age.
  • I would not expect Intercept X to block brute-force logins to the SQL Server. This is best addressed with other methods: SQL Server security best practices, internal network segmentation, a WAF, etc.

    As for the malicious behaviors after infiltration, I would think that Intercept X would be able to detect/block at least some of them via our behavioral engine and/or our anti-exploitation features. Many of these are process-independent, so they should trigger even if the source of the bad behavior is a SQL Server process.

  • ok the detection of payload seems to be covered with “AppC/Ngrok-C“.  Just was looking for ideas if anyone had everything put on query wrt to the payload IOCs etc.