New Ransomware Variant Discovered

Uploaded on 2021-08-16 in TECHNOLOGY--Resilience, NEWS-News Analysis, FREE TO VIEW

A team of Heimdal Security experts have warned of a new ransomware by a group calling itself “DeepBlueMagic.” This new ransomware variant is complex and shows some innovation from most other standard file encryption exploits. DeepBlueMagic uses legitimate third-party disk encryption tools to take advantage of the variety on the system drive (excluding the system drive) rather than the files on the target endpoint as ransomware normally does. 

Heimdal found the affected device that was infected with the ransomware was running Windows Server 2012 R2. The legitimate disk encryption third party tool used is “BestCryptVolumeEncryption” from Jetico was used and present on accessible disk C with a file named “rescue.rsc”. This is a rescue file that is customarily used by Jetico software to recover partition in case of damage. 

However, unlike the legitimate use of the software, the rescue file itself is encrypted by Jetico’s product using the same mechanism and requires a password to open. Heimdal say this is a very rare technique for ransomware strains, as these infections are mostly file-focused.

DeepBlueMagic ransomware has started encrypting all drives except the system drive using Jetico’s products. The machine was found to have an intact “C: ”drive, unencrypted, and a text file of ransom information stored on the desktop. The C drive is a smaller stakes ransomware target because it is located on another partition rather than the system drive used to perform executables and operations. In this case, it was the “D: ” drive that was converted to a RAW partition instead of the usual NTFS and became inaccessible. The drive appears to be corrupted when encrypted, so when you try to access it, the user is prompted to accept the disk format on the Windows OS interface.

Further analysis revealed that the encryption process was started using Jetico’s product and stopped shortly after it started. Therefore, after this workaround process, the drive was only partially encrypted and only the volume header was affected. Encryption can be continued or restored using Jetico’s “Best Crypt Volume Encryption” rescue file, which is also encrypted by the ransomware operator.

Prior to using Jetico’sBestCryptVolumeEncryption, the malicious software shut down all third-party Windows services on the computer to ensure that the security software based on behavioral analysis was disabled. Leaving such a service active leads to its immediate detection and blocking. DeepBlueMagic then deleted the Windows Volume Shadow Copy so that the affected drive could not be restored. Since it was on a Windows server OS, Heimdal tried to activate the Bitlocker encryption tool on all endpoints in that Active Directory.

On the affected server, the entry point was not based on a brute force attempt because no failed login attempt was detected in the audit log. The server had only Microsoft Dynamics AAX installed with Microsoft SQL Server. Unfortunately, the ransomware self-deleted traces of the original executable, except for traces of legitimate Jetico tools. 

The ransomware notes were left in a text file on the desktop named “Hello world”. 

The affected server was restored because the ransomware only started the encryption process and did not actually do it. Basically, DeepBlueMagic ransomware only encrypted the headers of the affected partitions in order to break the Windows functionality of shadow volumes.

Heimdal will perform further analysis in a secure virtual machine environment, but  the information they have so far recognizes its mode of operation and this is addressed in the new version of Heimdal ™ Ransomware Cryptographic Protection

Heindal's malware analysts succeeded in recovering files on inaccessible partitions by trying various decryption tools while simulating the DeepBlueMagic process (starting and then stopping encryption). For those who are or may be affected by DeepBlueMagic ransomware, Heimdal have the know how and the tools to deal with it. 

Heimdal Security:      IT Security News:        jioforme:

You Might Aslo Read: 

Minimising The Impact Of Ransomware:

 

« How To Write A Successful Cyber Security Resume
British Government Ministers Risk Being Hacked »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Morphisec

Morphisec

Morphisec's world leading prevention-first software stops ransomware and other advanced attacks from endpoint to the cloud.

Stealthcare

Stealthcare

Stealthcare is a full service, global cyber security firm offering solutions that educate, empower and protect.

Cybercrime Support Network (CSN)

Cybercrime Support Network (CSN)

CSN is a public-private, nonprofit collaboration created to meet the challenges facing millions of individuals and businesses affected each and every day by cybercrime.

Digital Management (DMI)

Digital Management (DMI)

DMI is a provider of mobile enterprise, business intelligence and cybersecurity services.

Beosin

Beosin

Beosin is a blockchain security company providing cybersecurity services including security audits, on-chain asset investigation, threat intelligence and wallet security.

Trusted Connectivity Alliance (TCA)

Trusted Connectivity Alliance (TCA)

Trusted Connectivity Alliance is a global, non-profit industry association which is working to enable a secure connected future.

Char49

Char49

Char49 specialize in Penetration Testing, Red Team Assessment, Social Engineering and Security Research.

Trianz

Trianz

Trianz Cybersecurity Services are Powered by One of the World’s Largest Databases on Digital Transformation. We Understand Evolving Risks, Technologies and Best Practices.

OwnBackup

OwnBackup

OwnBackup proactively prevents you from losing mission-critical data and metadata with automated backups and rapid, stress-free recovery.

Cyber Command - Romania

Cyber Command - Romania

Cyber Command represents the military authority responsible for the development, protection and resilience of military IT networks and services that support the Romanian Force Structure.

ZARIOT

ZARIOT

ZARIOT's mission is to restore order to what is becoming connected chaos in IoT by bringing unrivalled security, control and quality of service.

Communicate Technology

Communicate Technology

Communicate Technology are IT, telecoms and cyber-security specialists, keeping over 500 businesses and 50,000 users connected and secure across the UK.

Cyber Security Partners (CSP)

Cyber Security Partners (CSP)

Cyber Security Partners specialise in the provision of Cyber Security Consultancy, Data Protection and Certification and Compliance services.

Gomboc.ai

Gomboc.ai

Gomboc solve cloud infrastructure security policy deviations by providing tailored remediations to the IaC (Infrastructure as Code).

Spec

Spec

Spec is the only no-code orchestration platform that protects enterprise fraud defenses from being blocked, bypassed, and manipulated by modern attack tactics.

One Step Secure IT

One Step Secure IT

One Step provide Managed IT Services, Cybersecurity Protections, and Compliance to businesses in the USA nationwide.