New Ransomware Variant Discovered

Uploaded on 2021-08-16 in TECHNOLOGY--Resilience, NEWS-Cybersecurity News, FREE TO VIEW

A team of Heimdal Security experts have warned of a new ransomware by a group calling itself “DeepBlueMagic.” This new ransomware variant is complex and shows some innovation from most other standard file encryption exploits. DeepBlueMagic uses legitimate third-party disk encryption tools to take advantage of the variety on the system drive (excluding the system drive) rather than the files on the target endpoint as ransomware normally does. 

Heimdal found the affected device that was infected with the ransomware was running Windows Server 2012 R2. The legitimate disk encryption third party tool used is “BestCryptVolumeEncryption” from Jetico was used and present on accessible disk C with a file named “rescue.rsc”. This is a rescue file that is customarily used by Jetico software to recover partition in case of damage. 

However, unlike the legitimate use of the software, the rescue file itself is encrypted by Jetico’s product using the same mechanism and requires a password to open. Heimdal say this is a very rare technique for ransomware strains, as these infections are mostly file-focused.

DeepBlueMagic ransomware has started encrypting all drives except the system drive using Jetico’s products. The machine was found to have an intact “C: ”drive, unencrypted, and a text file of ransom information stored on the desktop. The C drive is a smaller stakes ransomware target because it is located on another partition rather than the system drive used to perform executables and operations. In this case, it was the “D: ” drive that was converted to a RAW partition instead of the usual NTFS and became inaccessible. The drive appears to be corrupted when encrypted, so when you try to access it, the user is prompted to accept the disk format on the Windows OS interface.

Further analysis revealed that the encryption process was started using Jetico’s product and stopped shortly after it started. Therefore, after this workaround process, the drive was only partially encrypted and only the volume header was affected. Encryption can be continued or restored using Jetico’s “Best Crypt Volume Encryption” rescue file, which is also encrypted by the ransomware operator.

Prior to using Jetico’sBestCryptVolumeEncryption, the malicious software shut down all third-party Windows services on the computer to ensure that the security software based on behavioral analysis was disabled. Leaving such a service active leads to its immediate detection and blocking. DeepBlueMagic then deleted the Windows Volume Shadow Copy so that the affected drive could not be restored. Since it was on a Windows server OS, Heimdal tried to activate the Bitlocker encryption tool on all endpoints in that Active Directory.

On the affected server, the entry point was not based on a brute force attempt because no failed login attempt was detected in the audit log. The server had only Microsoft Dynamics AAX installed with Microsoft SQL Server. Unfortunately, the ransomware self-deleted traces of the original executable, except for traces of legitimate Jetico tools. 

The ransomware notes were left in a text file on the desktop named “Hello world”. 

The affected server was restored because the ransomware only started the encryption process and did not actually do it. Basically, DeepBlueMagic ransomware only encrypted the headers of the affected partitions in order to break the Windows functionality of shadow volumes.

Heimdal will perform further analysis in a secure virtual machine environment, but  the information they have so far recognizes its mode of operation and this is addressed in the new version of Heimdal ™ Ransomware Cryptographic Protection

Heindal's malware analysts succeeded in recovering files on inaccessible partitions by trying various decryption tools while simulating the DeepBlueMagic process (starting and then stopping encryption). For those who are or may be affected by DeepBlueMagic ransomware, Heimdal have the know how and the tools to deal with it. 

Heimdal Security:      IT Security News:        jioforme:

You Might Aslo Read: 

Minimising The Impact Of Ransomware:

 

« How To Write A Successful Cyber Security Resume
British Government Ministers Risk Being Hacked »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CDW

CDW

CDW is a leading multi-brand provider of information technology solutions to business, government, education and healthcare customers in the United States, the United Kingdom and Canada.

Encode

Encode

Encode delivers a cutting edge Security Analytics & Response Orchestration platform and best of breed Cyber Security Operations and Services.

City Security Magazine

City Security Magazine

City Security magazine helps promote best security practices and keep businesses informed on a wide variety of security-related issues.

SecuGen

SecuGen

SecuGen is a leading provider of advanced, optical fingerprint recognition technology, products, tools and platforms for physical and information security.

Cybrary

Cybrary

Cybrary is an open-source cyber security and IT learning and certification preparation platform.

Cyber Security & Cloud Expo

Cyber Security & Cloud Expo

The Cyber Security & Cloud Expo is an international event series in London, Amsterdam and Silicon Valley.

Smart Contract Security Alliance

Smart Contract Security Alliance

The Smart Contract Security Alliance supports the blockchain ecosystem by building standards for smart contract security and smart contract audits.

McIntyre Associates

McIntyre Associates

McIntyre Associates is an Executive Search boutique specialized in recruiting for the Cybersecurity industry. Our clients range from Venture Capital backed startups to Fortune 100 companies.

ConnectWise

ConnectWise

The Unified ConnectWise Platform offers intelligent software and expert services to easily run your business, deliver your services, secure your clients, and build your staff.

Sencode Cyber Security

Sencode Cyber Security

Sencode provides a range of IT security solutions and services, including penetration testing and cyber awareness training to help mitigate the growing risks to your corporate infrastructure.

Inflection Point Ventures (IPV)

Inflection Point Ventures (IPV)

Inflection Point Ventures (IPV) is a 6000+ members angel investing firm which supports new-age entrepreneurs by connecting them with a diverse group of investors.

Bright Data

Bright Data

Bright Data Inc is the world’s #1 web data platform, enabling organizations to research, monitor, analyze data, and make better decisions.

Secrutiny

Secrutiny

Scrutiny's core services include Cyber Maturity, Cyber Risk Analyser, Cyber Controls, Incident Response, SOC, Cyber Recovery and Assurance Testing.

Virtual Technologies Group (VTG)

Virtual Technologies Group (VTG)

Virtual Technologies Group is a single source, IT product and services provider for SMBs and IT departments, delivering reliable, cost-efficient service, maintenance and support solutions.

Siometrix

Siometrix

Siometrix addresses digital identity fraud. It steals your attacker's time and prevents many prevalent attack vectors.

Uptime Institute

Uptime Institute

Uptime Institute is an unbiased advisory organization focused on improving the performance, efficiency, and reliability of business critical infrastructure.