New Ransomware Variant Discovered

Uploaded on 2021-08-16 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

A team of Heimdal Security experts have warned of a new ransomware by a group calling itself “DeepBlueMagic.” This new ransomware variant is complex and shows some innovation from most other standard file encryption exploits. DeepBlueMagic uses legitimate third-party disk encryption tools to take advantage of the variety on the system drive (excluding the system drive) rather than the files on the target endpoint as ransomware normally does. 

Heimdal found the affected device that was infected with the ransomware was running Windows Server 2012 R2. The legitimate disk encryption third party tool used is “BestCryptVolumeEncryption” from Jetico was used and present on accessible disk C with a file named “rescue.rsc”. This is a rescue file that is customarily used by Jetico software to recover partition in case of damage. 

However, unlike the legitimate use of the software, the rescue file itself is encrypted by Jetico’s product using the same mechanism and requires a password to open. Heimdal say this is a very rare technique for ransomware strains, as these infections are mostly file-focused.

DeepBlueMagic ransomware has started encrypting all drives except the system drive using Jetico’s products. The machine was found to have an intact “C: ”drive, unencrypted, and a text file of ransom information stored on the desktop. The C drive is a smaller stakes ransomware target because it is located on another partition rather than the system drive used to perform executables and operations. In this case, it was the “D: ” drive that was converted to a RAW partition instead of the usual NTFS and became inaccessible. The drive appears to be corrupted when encrypted, so when you try to access it, the user is prompted to accept the disk format on the Windows OS interface.

Further analysis revealed that the encryption process was started using Jetico’s product and stopped shortly after it started. Therefore, after this workaround process, the drive was only partially encrypted and only the volume header was affected. Encryption can be continued or restored using Jetico’s “Best Crypt Volume Encryption” rescue file, which is also encrypted by the ransomware operator.

Prior to using Jetico’sBestCryptVolumeEncryption, the malicious software shut down all third-party Windows services on the computer to ensure that the security software based on behavioral analysis was disabled. Leaving such a service active leads to its immediate detection and blocking. DeepBlueMagic then deleted the Windows Volume Shadow Copy so that the affected drive could not be restored. Since it was on a Windows server OS, Heimdal tried to activate the Bitlocker encryption tool on all endpoints in that Active Directory.

On the affected server, the entry point was not based on a brute force attempt because no failed login attempt was detected in the audit log. The server had only Microsoft Dynamics AAX installed with Microsoft SQL Server. Unfortunately, the ransomware self-deleted traces of the original executable, except for traces of legitimate Jetico tools. 

The ransomware notes were left in a text file on the desktop named “Hello world”. 

The affected server was restored because the ransomware only started the encryption process and did not actually do it. Basically, DeepBlueMagic ransomware only encrypted the headers of the affected partitions in order to break the Windows functionality of shadow volumes.

Heimdal will perform further analysis in a secure virtual machine environment, but  the information they have so far recognizes its mode of operation and this is addressed in the new version of Heimdal ™ Ransomware Cryptographic Protection

Heindal's malware analysts succeeded in recovering files on inaccessible partitions by trying various decryption tools while simulating the DeepBlueMagic process (starting and then stopping encryption). For those who are or may be affected by DeepBlueMagic ransomware, Heimdal have the know how and the tools to deal with it. 

Heimdal Security:      IT Security News:        jioforme:

You Might Aslo Read: 

Minimising The Impact Of Ransomware:

 

« How To Write A Successful Cyber Security Resume
British Government Ministers Risk Being Hacked »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

National Cyber Security Centre (NCSC) - Netherlands

National Cyber Security Centre (NCSC) - Netherlands

NCSC Netherlands coordinates enhancing the cyber resilience of the Netherlands in the digital domain.

InstaSafe Technologies

InstaSafe Technologies

InstaSafe®, a Software Defined Perimeter based (SDP) one-stop Secure Access Solution for On-Premise and Cloud Applications.

Egyptian Supreme Cybersecurity Council (ESCC)

Egyptian Supreme Cybersecurity Council (ESCC)

ESCC is responsible for developing a national strategy to face and respond to the cyber threats and attacks and to oversee its implementation and update.

NITA Uganda (NITA-U)

NITA Uganda (NITA-U)

NITA-U has put in place the Information security framework to provide Uganda with the necessary process, policies, standards and guideline to help in Information Assurance.

ODSC

ODSC

ODSC is a security systems integrator that provides services and expertise in identity management and access.

NETRIO

NETRIO

If you are looking for a highly mature, exceptionally competent Managed Service Provider, NETRIO has solutions to keep your business running at warp speed with zero disruptions.

Industrial Control System Information Sharing and Analysis Center (ICS-ISAC)

Industrial Control System Information Sharing and Analysis Center (ICS-ISAC)

ICS-ISAC is a non-profit, public/private Knowledge Sharing Center established to help facilities develop situational awareness in support of local, national and international security.

LogMeIn

LogMeIn

LogMeIn makes it possible for millions of people and businesses around the globe to do their best work simply and securely—on any device, from any location and at any time.

AwareGO

AwareGO

AwareGO is a global provider of security awareness training content and solutions that help enterprises improve cybersecurity awareness in the workplace.

MAXXeGUARD Data Safety

MAXXeGUARD Data Safety

MAXXeGUARD: The High Security Shredder. MAXXeGUARD easily destroys hard disks up to the highest security levels as well as other digital data carriers like SSD’s, LTO’s, USB’s, CD’s etc.

Open Source Security Foundation (OpenSSF)

Open Source Security Foundation (OpenSSF)

OpenSSF is committed to collaboration and working both upstream and with existing communities to advance open source security for all.

ThrottleNet

ThrottleNet

ThrottleNet provides world-class managed IT services and cybersecurity to organizations in St. Louis and throughout Missouri.

CUBE3 AI

CUBE3 AI

CUBE3.AI is a web3 security platform that provides real-time transaction protection for smart contracts, safeguarding against cyber exploits, fraud, and compliance risks.

Cybercentry

Cybercentry

Cybercentry is a specialist information security, data protection and cyber security consultancy.

Kontra

Kontra

Kontra application security training is an interactive and intuitive learning experience that engages developers.

Gathid

Gathid

Gathid is a unique and versatile identity governance platform providing organizations with the ability to model, explore, audit, and track complex access-related scenarios.