A new ransomware variant was discovered by researchers at Heimdal Security and is being used by a group that called themselves DeepBlueMagic. The ransomware is notably complex, displaying innovation from the standard file encryption approach commonly seen.
The new ransomware was discovered on August 11th and was being used in an attack on a device running Windows Server 2021 R2. By using a legitimate third-party disk encryption tool, the DeepBlueMagic ransomware started the encryption process on the different disk drives on the server, except the system drive (C: partition), rather than encrypting the files on the target’s endpoint.
The third-party tool used in this case is “BestCrypt Volume Encryption” by Jetico. Before encryption, the malicious software stopped every third-party Windows service on the computer to ensure they wouldn’t be detected. The attack turned the D: drive into a RAW partition, rather than NTFS (New Technology File System), which made it inaccessible. Attempting to access the encrypted drive would result in the Windows OS interface prompting the user to accept the formatting of the disk since the drive would be unreadable.
Further analysis showed that the disk was only partially encrypted and only the volume headers were encrypted. The encryption process could’ve been continued with BestCrypt Volume Encryption’s rescue file, but that file was also encrypted by DeepBlueMagic and was password protected. It then deleted the Volume Shadow Copy of Windows to ensure restoration was not possible for the affected drives.
A text file was also left on the desktop, named “Hello world” telling the owner of the computer to contact DeepBlueMagic and that the group will respond with the amount of ransom and how to pay it to receive a decryption password.
Analyst Notes
The DeepBlueRansomware only encrypted the headers of the affected partition in order to break the Shadow Volumes Windows feature. Because of this, the affected server in this case was able to be restored without paying the ransom due to the ransomware only initiating the encryption process, but never fully following it through. This was done so by trying various decryption tools while simulating the DeepBlueMagic process of starting the encryption then stopping it.
Ransomware attacks are not slowing down, new groups and ransomware variants are quickly appearing. In order to help identify attacks and mitigate them, it is important that companies have proper monitoring in place. This includes monitoring such as Binary Defense’s Managed Detection and Response that looks for attacks being carried out through behavior-based detection and works to stop them through 24/7 Security Operations and response.
https://heimdalsecurity.com/blog/new-ransomware-method-deepbluemagic-strain/?web_view=true
