[BUG] Common Ransomware Extensions - Regex Matching Double File ExtensionΒ #3702
Description
Describe the bug
The regex for "Detection: Common Ransomware Extensions" will never match on entries in the lookup, ransomware_extensions_lookup, that contain "double" file extensions. That is, patterns with more than one segment after the first period. Currently this only affects the following:
Line 16: *.Where_my_files.txt, Apocalypse
Line 24: *.bart.zip, Bart
Consider implementing the following regex to match on these edge cases:
| rex field=file_name "(?<file_extension>(\.[^\.]+{1,2})$"
Expected behavior
The expected behavior is for this detection to match any file extension within the associated lookup.