Heimdal Security researchers have unearthed a new ransomware strain along with a ransomware note, signed by a group calling itself ‘DeepBlueMagic’.
On Wednesday, 11th of August, security researchers detected ‘DeepBlueMagic’ which had been used in an attack on a device running Windows Server 2012 R2. The ransomware operates differently from all other previously detected ransomware strains, researchers said after analyzing the ransomware variant.
Modus Operandi of DeepBlueMagic Ransomware
DeepBlueMagic ransomware used a legitimate third-party encryption tool called ‘BestCrypt Volume Encryption’ by Jetico. Instead of encrypting files on the victim’s system, the ransomware first targeted different disk drives on the server, with the exception of the system drive located in the (“C:\” partition).
“The ‘BestCrypt Volume Encryption’ was still present on the accessible disk, C, alongside a file named ‘rescue.rsc’, a rescue file commonly used by Jetico’s software to retrieve the partition in case of damage. But unlike in the legitimate uses of the software, the rescue file itself was encrypted as well by Jetico’s product, using the same mechanism, and requiring a password in order to be able to open it,” Heimdal explained.
The methodology used by DeepBlueMagic ransomware is considerably unique because most ransomware families out there focus on encrypting files.
“Further analysis revealed that the encryption process was started using Jetico’s product, and stopped right after its initiation. Therefore, following this go-around process, the drive was only partially encrypted, with just the volume headers being affected. The encryption can be either continued or restored using the rescue file of Jetico’s “BestCrypt Volume Encryption”, but that file was also encrypted by the ransomware operators,” the report added.
The ransomware also deleted the Volume Shadow Copy of Windows to ensure restoration is not possible for the compromised drives. Since it was on a Windows server operating system, the ransomware attempted to activate Bitlocker on all the endpoints in that active directory.
According to security researchers, the ransomware itself was self-deleted in the attack, so it could not be tracked and analyzed. The researchers were unsuccessful in determining how the ransomware was installed on the server but said there were no failed login attempts so it was not delivered as a result of a brute force attack. The server only had a Microsoft Dynamics AAX installed with a Microsoft SQL Server.
Fortunately, the compromised server was restored because the encryption process was only partially completed. Researchers simulated the DeepBlueMagic process and attempted to use several decryption tools and were able to successfully restore the files on the inaccessible partition using the free TestDisk tool from CGSecurity.org.
“The current ransomware landscape is RED HOT right now with thousands of companies being affected daily on the global scale. Financial losses of millions of dollars and severe social consequences, and this new ransomware strain only further emphasizes the cyber criminals’ tendency and ability to innovate their business and continuously maximize for profit,” Morten Kjaersgaard, CEO of Heimdal Security stated.