Researchers have discovered a new strain of ransomware, that is innovatively using a third-party encryption tool and several other tactics to carry out malicious attacks. Named as DeepBlueMagic, the ransomware targets systems having Windows Server 2012 R2.
What was discovered?
Researchers from Heimdal Security have detected a new cyber incident in which a complex strain of ransomware is dropping a ransom note signed by DeepBlueMagic.
- The threat group leverages the commercially available disk encryption tool BestCrypt Volume Encryption (developed by Jetico) to encrypt data in a victim’s machine.
- The attack starts with encryption of files, not on the target’s endpoint devices, but the disk drives on the server. It also leaves the system's C Drive (C:) untouched.
- During the encryption process, it encrypts rescue.rsc file, which is a genuine rescue (recovery) file created by Jetico’s encryption tool.
- Upon encryption, this file requires a password to open, and therefore cannot be used by admins for the recovery process.
- After encryption is over, it drops a ransom note on the desktop. Moreover, the disk drives (d:\ in this specific case) get turned into a RAW partition, which is treated as a broken link by the Windows OS and cannot be accessed.
Additional insights
Researchers noted that DeepBlueMagic operators are using several additional tactics to carry out attacks.
- In some cases, the encryption process ends just after it is started, resulting in the encryption of volume headers and rendering them inaccessible.
- The partial encryption process can be either continued or restored, but both these require the recur file which is already encrypted. Thus leaving the entire system choked within a short duration of time.
- Additionally, the ransomware also tries to stop all the third-party Windows services to disable any security software. Moreover, it deletes Volume Shadow Copy of Windows and tries to activate BitLocker on the endpoints listed in the active directory.
The good news is researchers were able to simulate the partially run encryption process, and then recover the encrypted files using a free tool CGSecurity.org.
Ending notes
The developers of DeepBlueMagic have, as observed, used a combination of several innovative techniques to make an impact. Although researchers were able to find some workaround for now, however, such approaches by criminals can become a cause of great concern for the security landscape at any time.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_414767911.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_229793155.jpg)
