New Ransomware Variant Discovered

A team of Heimdal Security experts have warned of a new ransomware by a group calling itself “DeepBlueMagic.” This new ransomware variant is complex and shows some innovation from most other standard file encryption exploits. DeepBlueMagic uses legitimate third-party disk encryption tools to take advantage of the variety on the system drive (excluding the system drive) rather than the files on the target endpoint as ransomware normally does. 

Heimdal found the affected device that was infected with the ransomware was running Windows Server 2012 R2. The legitimate disk encryption third party tool used is “BestCryptVolumeEncryption” from Jetico was used and present on accessible disk C with a file named “rescue.rsc”. This is a rescue file that is customarily used by Jetico software to recover partition in case of damage. 

However, unlike the legitimate use of the software, the rescue file itself is encrypted by Jetico’s product using the same mechanism and requires a password to open. Heimdal say this is a very rare technique for ransomware strains, as these infections are mostly file-focused.

DeepBlueMagic ransomware has started encrypting all drives except the system drive using Jetico’s products. The machine was found to have an intact “C: ”drive, unencrypted, and a text file of ransom information stored on the desktop. The C drive is a smaller stakes ransomware target because it is located on another partition rather than the system drive used to perform executables and operations. In this case, it was the “D: ” drive that was converted to a RAW partition instead of the usual NTFS and became inaccessible. The drive appears to be corrupted when encrypted, so when you try to access it, the user is prompted to accept the disk format on the Windows OS interface.

Further analysis revealed that the encryption process was started using Jetico’s product and stopped shortly after it started. Therefore, after this workaround process, the drive was only partially encrypted and only the volume header was affected. Encryption can be continued or restored using Jetico’s “Best Crypt Volume Encryption” rescue file, which is also encrypted by the ransomware operator.

Prior to using Jetico’sBestCryptVolumeEncryption, the malicious software shut down all third-party Windows services on the computer to ensure that the security software based on behavioral analysis was disabled. Leaving such a service active leads to its immediate detection and blocking. DeepBlueMagic then deleted the Windows Volume Shadow Copy so that the affected drive could not be restored. Since it was on a Windows server OS, Heimdal tried to activate the Bitlocker encryption tool on all endpoints in that Active Directory.

On the affected server, the entry point was not based on a brute force attempt because no failed login attempt was detected in the audit log. The server had only Microsoft Dynamics AAX installed with Microsoft SQL Server. Unfortunately, the ransomware self-deleted traces of the original executable, except for traces of legitimate Jetico tools. 

The ransomware notes were left in a text file on the desktop named “Hello world”. 

The affected server was restored because the ransomware only started the encryption process and did not actually do it. Basically, DeepBlueMagic ransomware only encrypted the headers of the affected partitions in order to break the Windows functionality of shadow volumes.

Heimdal will perform further analysis in a secure virtual machine environment, but  the information they have so far recognizes its mode of operation and this is addressed in the new version of Heimdal ™ Ransomware Cryptographic Protection

Heindal's malware analysts succeeded in recovering files on inaccessible partitions by trying various decryption tools while simulating the DeepBlueMagic process (starting and then stopping encryption). For those who are or may be affected by DeepBlueMagic ransomware, Heimdal have the know how and the tools to deal with it. 

Heimdal Security:      IT Security News:        jioforme:

You Might Aslo Read: 

Minimising The Impact Of Ransomware:

 

« How To Write A Successful Cyber Security Resume
British Government Ministers Risk Being Hacked »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Cylance Smart Antivirus

Cylance Smart Antivirus

An antivirus that works smarter, not harder, from BlackBerry. Lightweight, non-intrusive protection powered by artificial intelligence. BUY NOW - LIMITED DISCOUNT OFFER.

Perimeter 81

Perimeter 81

Perimeter 81 is a Zero Trust Network as a Service designed to simplify secure network, cloud and application access for the modern and distributed workforce.

Clayden Law

Clayden Law

Clayden Law are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

TeleSign

TeleSign

TeleSign is the leading provider of single-platform global communications and trusted identity data solutions. We help digital enterprises connect, protect and engage their customers.

SAP

SAP

SAP is a multinational software company. Security software includes Application & IT Infrastructure Security; Identity, Access & Authentication Management.

Massive Alliance

Massive Alliance

Massive is a global service agency providing internet monitoring, data & security threat surveillance and reputation management.

NetDiligence

NetDiligence

NetDiligence is a privately-held cyber risk assessment and data breach services company.

PROOF

PROOF

PROOF is a Brazilian leader in cybersecurity. Our goal is to assist our Customers in managing security efficiently and in tune with business needs.

Polish Centre for Accreditation (PCA)

Polish Centre for Accreditation (PCA)

PCA is the national accreditation body for Poland. The directory of members provides details of organisations offering certification services for ISO 27001.

S2S Group

S2S Group

S2S Group specialise in the destruction and management of IT assets at the end of the lifecycle.

Taoglas

Taoglas

Taoglas Next Gen IoT Edge software provides a pay as you go platform for customers to connect, manage and maintain their edge devices in an efficient and secure way.

Baker Donelson

Baker Donelson

Baker Donelson is a law firm with a team of more than 700 attorneys and advisors representing more than 30 practice areas including Data Protection, Privacy and Cybersecurity.

Sygnia

Sygnia

Sygnia is a cyber technology and services company, providing high-end consulting and incident response support for organizations worldwide.

Porto Research, Technology & Innovation Center (PORTIC)

Porto Research, Technology & Innovation Center (PORTIC)

PORTIC brings together several research centers and groups from P.PORTO in a single space, forming a superstructure dedicated to research, technology transfer, innovation and entrepreneurship.

Motiv ICT Security

Motiv ICT Security

Motiv is the ICT security specialist that provides public and private sector organisations with IT security solutions and services to prevent cybercrime, data theft and data breaches.