New ‘DeepBlueMagic’ Ransomware Discovered by Heimdal Security Researchers
A new ransomware variant has been detected by researchers at Heimdal Security that is being used by a threat group that calls itself DeepBlueMagic. The ransomware differs considerably from all other previously identified ransomware strains.
Heimdal Security researchers discovered the new ransomware variant on Wednesday, August 11, 2021, which had been used in an attack on a device running Windows Server 2012 R2. The analysis of the attack revealed DeepBlueMagic ransomware works completely differently to any other ransomware encountered in the past.
The researchers determined DeepBlueMagic ransomware disables security solutions installed on devices to prevent detection, then proceeds to encrypt entire hard drives using a third-party disk encryption tool rather than files. All drives on the targeted server are encrypted with the exception of the system drive (“C:\” partition).
The ransomware uses BestCrypt Volume Encryption software from Jetico. In the attack, the D:\ drive was turned into a RAW partition rather than NTFS, which rendered it inaccessible. Following an attack, any attempt to access the encrypted drive would result in the Windows OS interface prompting the user to accept formatting of the disk, since the drive would be unreadable.
Further analysis of the attack revealed the ransomware stopped all third-party Windows services on the targeted device, thus disabling all security solutions. Then, DeepBlueMagic ransomware deleted the Volume Shadow Copy of Windows to ensure the drive could not be restored. An attempt was also made to activate Bitlocker on all endpoints in the Active Directory.
In this attack, the disk encryption process was started but was not completed; only the volume headers were encrypted. This meant that the encryption process could be continued, or the rescue file created by Jetico’s BestCrypt Volume Encryption could be used to restore the drive; however, the rescue file was also encrypted by the ransomware. In order to access the rescue file, a password must be provided.
Heimdal Security said the ransomware itself was self-deleted in the attack, so it could not be recovered and analyzed on this occasion. The researchers were not able to determine how the ransomware was installed on the server but said there were no failed login attempts so it was not delivered as a result of a brute force attack. The server only had a Microsoft Dynamics AAX installed with a Microsoft SQL Server.
The ransomware note saved to the desktop advised the victim to make contain via email to find out how much must be paid for the password to recover the encrypted drives.
Heimdal Security researchers said because the encryption process was only partially completed, recovery without paying the ransom is possible. They simulated the DeepBlueMagic process and attempted to use several decryption tools and were able to successfully restore the files on the inaccessible partition using the free TestDisk tool from CGSecurity.org.
“The current ransomware landscape is RED HOT right now with thousands of companies being affected daily on the global scale. Financial losses of millions of dollars and severe social consequences, and this new ransomware strain only further emphasizes the cyber criminals’ tendency and ability to innovate their business and continuously maximize for profit, ” Heimdal CEO Morten Kjaersgaard told HIPAA Journal. “DeepBlueMagic and all the other new players will, certainly, give their best shot in targeting companies all around the world, so it’s crucial for company owners to start working towards prevention rather than mitigation. The arms race between cyber criminals and cyber security companies is poised to intensify.”