[BreachExchange] ‘DeepBlueMagic’ - Newly Discovered Ransomware With Unique Modus Operandi
Sophia Kingsbury
sophia.kingsbury at riskbasedsecurity.com
Mon Aug 16 12:04:57 EDT 2021
https://www.ehackingnews.com/2021/08/deepbluemagic-newly-discovered.html
Heimdal Security researchers have unearthed a new ransomware strain along
with a ransomware note, signed by a group calling itself ‘DeepBlueMagic’.
On Wednesday, 11th of August, security researchers detected ‘DeepBlueMagic’
which had been used in an attack on a device running Windows Server 2012
R2. The ransomware operates differently from all other previously detected
ransomware strains, researchers said after analyzing the ransomware variant.
Modus Operandi of DeepBlueMagic Ransomware
DeepBlueMagic ransomware used a legitimate third-party encryption tool
called ‘BestCrypt Volume Encryption’ by Jetico. Instead of encrypting files
on the victim’s system, the ransomware first targeted different disk drives
on the server, with the exception of the system drive located in the (“C:\”
partition).
“The ‘BestCrypt Volume Encryption’ was still present on the accessible
disk, C, alongside a file named ‘rescue.rsc’, a rescue file commonly used
by Jetico’s software to retrieve the partition in case of damage. But
unlike in the legitimate uses of the software, the rescue file itself was
encrypted as well by Jetico’s product, using the same mechanism, and
requiring a password in order to be able to open it,” Heimdal explained.
The methodology used by DeepBlueMagic ransomware is considerably unique
because most ransomware families out there focus on encrypting files.
“Further analysis revealed that the encryption process was started using
Jetico’s product, and stopped right after its initiation. Therefore,
following this go-around process, the drive was only partially encrypted,
with just the volume headers being affected. The encryption can be either
continued or restored using the rescue file of Jetico’s “BestCrypt Volume
Encryption”, but that file was also encrypted by the ransomware operators,”
the report added.
The ransomware also deleted the Volume Shadow Copy of Windows to ensure
restoration is not possible for the compromised drives. Since it was on a
Windows server operating system, the ransomware attempted to activate
Bitlocker on all the endpoints in that active directory.
According to security researchers, the ransomware itself was self-deleted
in the attack, so it could not be tracked and analyzed. The researchers
were unsuccessful in determining how the ransomware was installed on the
server but said there were no failed login attempts so it was not delivered
as a result of a brute force attack. The server only had a Microsoft
Dynamics AAX installed with a Microsoft SQL Server.
Fortunately, the compromised server was restored because the encryption
process was only partially completed. Researchers simulated the
DeepBlueMagic process and attempted to use several decryption tools and
were able to successfully restore the files on the inaccessible partition
using the free TestDisk tool from CGSecurity.org.
“The current ransomware landscape is RED HOT right now with thousands of
companies being affected daily on the global scale. Financial losses of
millions of dollars and severe social consequences, and this new ransomware
strain only further emphasizes the cyber criminals’ tendency and ability to
innovate their business and continuously maximize for profit,” Morten
Kjaersgaard, CEO of Heimdal Security stated.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210816/5e670d6b/attachment.html>
More information about the BreachExchange
mailing list