DeepBlueMagic Ransomware
The DeepBlueMagic appears to be a newly established gang in the ransomware landscape. The operations of the group were first picked up by the infosec researchers at Heimdal Security. Analysis of the deployed ransomware threat has revealed some very peculiar characteristics that set DeepBlueMagic apart from the typical ransomware threats.
Unique Behavior
For starters, the group employs a legitimate third-party disk encryption program named 'BestCrypt Volume Encryption' for its encryption process. Instead of focusing on individual files, DeepBlueMagic locks entire disk drives connected to the compromised server. However, system disk C was left intact and accessible. It hosts the encryption tool and its rescue file 'rescue.rsc.' Usually, this file can be used to recover partitions encrypted by the tool, in case of unexpected issues. However, the 'rescue.rsc' file left by DeepBlueMagic is unusable because it was encrypted by its own program and requires a key to be opened.
It should be noted that the encryption process is initiated via BestCrypt Volume Encryption and then stopped immediately. This means that not the entire disk gets locked but just the headers. Still, the affected partitions will be recognized by the system to be in a RAW format and unusable.
Additional Capabilities
Before the encryption process is started, DeepBlueMagic must prepare the environment on the infected systems. This involves disabling all third-party Window services discovered on the computer. Doing so ensures that no security software based on behavioral analysis will be left running as leaving such programs active would result in the immediate detection of the threatening activities and their subsequent blocking.
The next step performed by DeepBlueMagic is to delete the Volume Shadow Copy backups created by Windows. Leaving them would mean that users could potentially be able to restore the locked data without needing any input from the cybercriminals. To prevent experts from getting their hands on a sample of the threat, the malware self-deletes its file on the infected device, leaving behind only the legitimate encryption tool and a ransom note in the form of a text file named 'Hello world.' The note-bearing file is created on the Dekstop of the system. The full text of the message is:
'Hello. Your company’s server hard drive was encrypted by us.
We use the most complex encryption algorithm (AES256). Only we can decrypt.
Please contact us: [email address 1]
(Please check spam, Avoid missing mail)
Identification code: ******** (Please tell us the identification code)
Please contact us and we will tell you the amount of ransom and how to pay.
(If the contact is fast, we will give you a discount.)
After the payment is successful, we will tell the decrypt password.
In order for you to believe in us, we have prepared the test server. Please contact us and we will tell the test server and decrypt the password.
Please do not scan encrypted hard drives or attempt to recover data. Prevent data corruption.
!!!
If we don’t respond. Please contact an alternate mailbox: [email address 2]
We will enable the alternate mailbox only if the first mailbox is not working properly.'
