A new ransomware variant was discovered by researchers at Heimdal Security and is being used by a group that called themselves DeepBlueMagic. The ransomware is notably complex, displaying innovation from the standard file encryption approach commonly seen.
The new ransomware was discovered on August 11th and was being used in an attack on a device running Windows Server 2021 R2. By using a legitimate third-party disk encryption tool, the DeepBlueMagic ransomware started the encryption process on the different disk drives on the server, except the system drive (C:\ partition), rather than encrypting the files on the target’s endpoint.
The third-party tool used in this case is “BestCrypt Volume Encryption” by Jetico. Before encryption, the malicious software stopped every third-party Windows service on the computer to ensure they wouldn’t be detected. The attack turned the D:\ drive into a RAW partition, rather than NTFS (New Technology File System), which made it inaccessible. Attempting to access the encrypted drive would result in the Windows OS interface prompting the user to accept the formatting of the disk since the drive would be unreadable.
Further analysis showed that the disk was only partially encrypted and only the volume headers were encrypted. The encryption process could’ve been continued with BestCrypt Volume Encryption’s rescue file, but that file was also encrypted by DeepBlueMagic and was password protected. It then deleted the Volume Shadow Copy of Windows to ensure restoration was not possible for the affected drives.
A text file was also left on the desktop, named “Hello world” telling the owner of the computer to contact DeepBlueMagic and that the group will respond with the amount of ransom and how to pay it to receive a decryption password.