New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


New Money Message Ransomware Demands Million Dollar Ransoms

A new ransomware gang named ‘Money Message’ has appeared, targeting victims worldwide and demanding million-dollar ransoms not to leak data and release a decryptor. The new ransomware was first reported by a victim on the BleepingComputer forums on March 28, 2023, with Zscaler’s ThreatLabz soon after sharing information on Twitter. Currently, the threat actor lists two victims on its extortion site, one of which is an Asian airline with annual revenue close to $1 billion. Additionally, the threat actors claim to have stolen files from the company and include a screenshot of the accessed file system as proof of the breach. The Money Message encryptor is written in C++ and includes an embedded JSON configuration file determining how a device will be encrypted. This configuration file includes what folders to block from encrypting, what extension to append, what services and processes to terminate, whether logging is enabled, and domain login names and passwords likely used to encrypt other devices. When encrypting files, it will not append any extension, but this can change depending on the victim. According to security researcher rivitna, the encryptor uses ChaCha20/ECDH encryption when encrypting files. After encrypting the device, the ransomware will create a ransom note named money_message.log that contains a link to a TOR negotiation site used to negotiate with the threat actors. The ransomware will also warn that they will publish any stolen data on their data leak site if a ransom is not paid. Although the encryptor used by the group does not appear sophisticated, it has been confirmed that the operation is successfully stealing data and encrypting devices during their attacks.

Analyst Notes

To protect against ransomware attacks, organizations should:

• Regularly back up data, air gap, and password protect backup copies offline.
• Ensure copies of critical data are not accessible f or deletion from the system.
• Implement network segmentation.
• Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data.
• Implement monitoring of security events on employee workstations and servers, with a 24/7 Security Operations Center to detect threat.
• Use multifactor authentication where possible.
• Use strong passwords and regularly change passwords to network systems and accounts.
• Regularly provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities.