New Ransomware Variant Discovered

A team of Heimdal Security experts have warned of a new ransomware by a group calling itself “DeepBlueMagic.” This new ransomware variant is complex and shows some innovation from most other standard file encryption exploits. DeepBlueMagic uses legitimate third-party disk encryption tools to take advantage of the variety on the system drive (excluding the system drive) rather than the files on the target endpoint as ransomware normally does. 

Heimdal found the affected device that was infected with the ransomware was running Windows Server 2012 R2. The legitimate disk encryption third party tool used is “BestCryptVolumeEncryption” from Jetico was used and present on accessible disk C with a file named “rescue.rsc”. This is a rescue file that is customarily used by Jetico software to recover partition in case of damage. 

However, unlike the legitimate use of the software, the rescue file itself is encrypted by Jetico’s product using the same mechanism and requires a password to open. Heimdal say this is a very rare technique for ransomware strains, as these infections are mostly file-focused.

DeepBlueMagic ransomware has started encrypting all drives except the system drive using Jetico’s products. The machine was found to have an intact “C: ”drive, unencrypted, and a text file of ransom information stored on the desktop. The C drive is a smaller stakes ransomware target because it is located on another partition rather than the system drive used to perform executables and operations. In this case, it was the “D: ” drive that was converted to a RAW partition instead of the usual NTFS and became inaccessible. The drive appears to be corrupted when encrypted, so when you try to access it, the user is prompted to accept the disk format on the Windows OS interface.

Further analysis revealed that the encryption process was started using Jetico’s product and stopped shortly after it started. Therefore, after this workaround process, the drive was only partially encrypted and only the volume header was affected. Encryption can be continued or restored using Jetico’s “Best Crypt Volume Encryption” rescue file, which is also encrypted by the ransomware operator.

Prior to using Jetico’sBestCryptVolumeEncryption, the malicious software shut down all third-party Windows services on the computer to ensure that the security software based on behavioral analysis was disabled. Leaving such a service active leads to its immediate detection and blocking. DeepBlueMagic then deleted the Windows Volume Shadow Copy so that the affected drive could not be restored. Since it was on a Windows server OS, Heimdal tried to activate the Bitlocker encryption tool on all endpoints in that Active Directory.

On the affected server, the entry point was not based on a brute force attempt because no failed login attempt was detected in the audit log. The server had only Microsoft Dynamics AAX installed with Microsoft SQL Server. Unfortunately, the ransomware self-deleted traces of the original executable, except for traces of legitimate Jetico tools. 

The ransomware notes were left in a text file on the desktop named “Hello world”. 

The affected server was restored because the ransomware only started the encryption process and did not actually do it. Basically, DeepBlueMagic ransomware only encrypted the headers of the affected partitions in order to break the Windows functionality of shadow volumes.

Heimdal will perform further analysis in a secure virtual machine environment, but  the information they have so far recognizes its mode of operation and this is addressed in the new version of Heimdal ™ Ransomware Cryptographic Protection

Heindal's malware analysts succeeded in recovering files on inaccessible partitions by trying various decryption tools while simulating the DeepBlueMagic process (starting and then stopping encryption). For those who are or may be affected by DeepBlueMagic ransomware, Heimdal have the know how and the tools to deal with it. 

Heimdal Security:      IT Security News:        jioforme:

You Might Aslo Read: 

Minimising The Impact Of Ransomware:

 

« How To Write A Successful Cyber Security Resume
British Government Ministers Risk Being Hacked »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

PCI Compliance Guide

PCI Compliance Guide

The PCI Compliance Guide is one of the leading educational websites available focused exclusively on PCI compliance.

Progress Flowmon

Progress Flowmon

Progress Flowmon (formerly Flowmon Networks) provide high performance network monitoring technology and behavior analytics to enhance network performance and deal with cyber threats.

Centre for Cyber Security (CFCS) - Denmark

Centre for Cyber Security (CFCS) - Denmark

The Centre for Cyber Security is the Danish national IT security authority, Network Security Service and Centre for Excellence within cyber security.

TEISS

TEISS

Teiss.co.uk is a website dedicated to providing information about cyber security. TEISS also provide a series of conferences and events focused on cyber security.

Sasa Software

Sasa Software

Sasa Software is a cybersecurity software developer specializing in the prevention of file-based network attacks.

Nexus Group

Nexus Group

Nexus Group develops identity solutions for physical and digital access.

Inspirria Cloudtech

Inspirria Cloudtech

Inspirria Cloudtech is a specialized Cloud Technologies Services provider and Cloud Aggregator focused on executing cloud models for clients.

Office of the National Security Council (UVNS) - Croatia

Office of the National Security Council (UVNS) - Croatia

UVNS coordinates, harmonizes the adoption and controls the implementation of information security measures and standards in the Republic of Croatia.

CM Blockchain Security Center

CM Blockchain Security Center

We are dedicated to building a healthier blockchain ecosystem, providing solutions to security technology, and helping those who practice in the area of blockchain to get insight into industry trends.

Salient Law

Salient Law

Salient Law is a virtual law firm that specialises in advising providers and users of technology on contracts involving technology.

Rocheston

Rocheston

Rocheston is an innovation company with cutting-edge research and development in emerging technologies such as Cybersecurity, Internet of Things, Big Data and automation.

Towerwall

Towerwall

Towerwall offers a comprehensive suite of security services and solutions using best-of-breed tools and information security services.

Defscope

Defscope

Defscope is an Azerbaijani company entirely focused on cybersecurity offering training, security consulting, and other professional services.

The ATOM Group

The ATOM Group

ATOM builds and secures technology for regulated industries. We design and build for a future we can all trust.

Comcast Business

Comcast Business

Comcast Business keeps businesses ready for what’s next with powerful connectivity, advanced cybersecurity solutions, and the right people at your side.

NewsGuard Technologies

NewsGuard Technologies

NewsGuard provides transparent tools to counter misinformation for readers, brands, and democracies.