deepbluemagic article cover photo

DeepBlueMagic Ransomware Strain Discovered by Heimdal™ – New Ransomware, New Method

DeepBlueMagic, the New Ransomware on the Horizon. How the Strain Works.

On Wednesday, the 11th of August, in the morning, our team of security experts was alerted to an incident that turned out to be a new ransomware strain along with a ransomware note, signed by a group dubbing themselves ‘DeepBlueMagic’.

This new ransomware strain is a complex one, displaying a certain amount of innovation from the standard file-encryption approach of most others.

Incident Breakdown of the DeepBlueMagic Ransomware Attack

The affected device from which the ransomware infection originated was running Windows Server 2012 R2.

By cleverly making use of a legitimate third-party disk encryption tool, the DeepBlueMagic ransomware started the encryption process not of files on the target’s endpoint, as ransomware usually does, but of the different disk drives on the server, except the system drive (the “C:\” partition).

The legit disk encryption third-party tool used is “BestCrypt Volume Encryption” from Jetico.

The “BestCrypt Volume Encryption” was still present on the accessible disk, C, alongside a file named “rescue.rsc”, a rescue file habitually used by Jetico’s software to recover the partition in case of damage. But unlike in the legitimate uses of the software, the rescue file itself was encrypted as well by Jetico’s product, using the same mechanism, and requiring a password in order to be able to open it.

It is a very unusual modus operandi for a ransomware strain, since these infections most often focus on files.

The DeepBlueMagic ransomware used Jetico’s product to start the encryption on all the drives except the system drive. The machine was found with the “C:\” drive intact, not encrypted in any way, and with ransom information text files on the desktop. The C drive is a smaller stakes ransomware target since the more valuable files are located on the other partitions, not on the system drive which is used for running executables and performing operations.

In this case, it was the “D:\” drive that was turned into a RAW partition rather than the common NTFS, making it inaccessible. Any access attempt would have the Windows OS interface prompt the user to accept formatting the disk since the drive looks broken once encrypted.

Further analysis revealed that the encryption process was started using Jetico’s product, and stopped right after its initiation. Therefore, following this go-around process, the drive was only partially encrypted, with just the volume headers being affected. The encryption can be either continued or restored using the rescue file of Jetico’s “BestCrypt Volume Encryption”, but that file was also encrypted by the ransomware operators.

Moreover, the ransomware cleared the stage before commencing the encryption. Before using Jetico’s “BestCrypt Volume Encryption”, the malicious software stopped every third-party Windows service found on the computer, to ensure the disabling of any security software which is based on behavior analysis. Leaving any such services active would have led to its immediate detection and blocking.

Afterward, DeepBlueMagic deleted the Volume Shadow Copy of Windows to ensure restoration is not possible for the affected drives, and since it was on a Windows server OS, it tried to activate Bitlocker on all the endpoints in that active directory.

We actually warned our audience before about the vulnerability posed by Volume Shadow Copy and how most anti-ransomware security products can fail if they are based on it.

On the affected server, no failed login attempts were found in the audit logs, so the entry point was not based on any brute-force attempt. The server only had a Microsoft Dynamics AAX installed with a Microsoft SQL Server.

Unfortunately, the ransomware also self-deleted any trace of the original executable file except the traces of the legitimate Jetico tool. That means we didn’t get a sample of it this time so we can perform more analysis on it in a safe virtual machine environment. But the information we have for now is enough to recognize its mode of operations and to include protection against it in the next version of Heimdal™ Ransomware Encryption Protection.

The ransomware note was left in a text file on the desktop, named ‘Hello world’. You can read the full note below (some details edited for security reasons):

Hello. Your company’s server hard drive was encrypted by us.

We use the most complex encryption algorithm (AES256). Only we can decrypt.

Please contact us: [email address 1]

(Please check spam, Avoid missing mail)

Identification code: ******** (Please tell us the identification code)

Please contact us and we will tell you the amount of ransom and how to pay.

(If the contact is fast, we will give you a discount.)

After the payment is successful, we will tell the decrypt password.

In order for you to believe in us, we have prepared the test server. Please contact us and we will tell the test server and decrypt the password.

Please do not scan encrypted hard drives or attempt to recover data. Prevent data corruption.


If we don’t respond. Please contact an alternate mailbox: [email address 2]

We will enable the alternate mailbox only if the first mailbox is not working properly.


Circumventing DeepBlueMagic (Partially)

The affected server was restored due to the ransomware only initiating the encryption process, without actually following it through. Basically, the DeepBlueMagic ransomware only encrypted the headers of the affected partition, in order to break the Shadow Volumes Windows feature.

Our team of malware analysts managed to restore the files on the inaccessible partition by trying various decryption tools while simulating the DeepBlueMagic process (commencing the encryption and then stopping it).

The tool that succeeded in restoring the files on the locked disk is a free one from So at least there is good news for anyone who is or will be affected by the DeepBlueMagic ransomware, until we find out more about it.

Heimdal Official Logo
Neutralize ransomware before it can hit.

Heimdal™ Ransomware Encryption Protection

Specifically engineered to counter the number one security risk to any business – ransomware.
  • Blocks any unauthorized encryption attempts;
  • Detects ransomware regardless of signature;
  • Universal compatibility with any cybersecurity solution;
  • Full audit trail with stunning graphics;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.
Patch management tools cover

8 Free and Open Source Patch Management Tools for Your Company

Patch Management Tools Are Essential for Your Enterprise Cybersecurity. Here Are Your Best Open Source Alternatives.
what is patch management

Patch Management Explained. What It Is, Best Practices and Benefits

All You Need to Know about Patch Management. And Why Automated Patch Management Will Simplify Your Sysadmins’ Life.  
Do you leave your computer unattended at work?

Squirrelwaffle Malware Used to Drop Cobalt Strike

The New Malware Is Currently Spreading in the Wild.

Penetration testers prefer Cobalt Strike when trying to replicate how cybercriminal tools would look when assaulting an organization’s network.

Unfortunately, hackers adapted to it, and Cobalt became a popular second-stage payload for a variety of malware families.

Squirrelwaffle, a new threat that provides supporting actors with an initial footing and a mechanism to spread malware onto compromised devices and networks, has been discovered in the wild.

The new virus spreads through spam campaigns, with the most recent efforts releasing Qakbot and Cobalt Strike.

Squirrelwaffle is one of the technologies that surfaced as an Emotet substitute immediately after the widely used botnet was disrupted by law enforcement.

The New Threat Surfaced in September 2021

While the spam campaign predominantly leverages English-language stolen reply-chain email campaigns, the threat actors also use emails in French, German, Dutch, and Polish.

These emails usually contain links to malicious ZIP packages located on attacker-controlled web domains, as well as a malicious.doc or.xls attachment that, when viewed, executes malware-retrieving code.

As explained by BleepingComputer, the perpetrators utilize the DocuSign signature tool as bait to lure recipients into activating macros in their MS Office suite on various papers tested and evaluated by Talos researchers.


This activity retrieves Squirrelwaffle from one of the five hardcoded URLs and installs it on the infected machine as a DLL file.


The Squirrelwaffle loader subsequently installs malware such as Qakbot or Cobalt Strike, a frequently used penetration testing tool.

To avoid discovery and analysis, Squirrelwaffle includes an IP blocklist populated with well-known security research organizations.

Squirrelwaffle communicates with the C2 infrastructure using HTTP POST requests that are encrypted (XOR+Base64).

To facilitate the file distribution element of their activities, the threat actors use previously compromised web servers, with the majority of these sites running WordPress 5.8.1.

The adversaries use “antibot” software on these systems to assist avoid white-hat discovery and analysis.

Researchers from Talos believe that Squirrelwaffle might be Emotet resurrected by individuals who eluded law enforcement or other threat actors.

If you liked this article, follow us on LinkedInTwitterYouTubeFacebookand Instagram to keep up to date with everything we post.


Is Conti Ransomware Selling Access to Victims?

It Seems That the Organizations Infected with Conti’s Malware that Are Refusing to Negotiate A Ransom Payment Are Added to Conti’s Victim Shaming Blog.
Ranzy Locker cover picture

Ransomware Dubbed Ranzy Locker Has Affected No Less Than 30 US Companies in 2021, FBI Reports

The Federal Bureau of Investigation Released a Report Illustrating the Ranzy Locker’s Effect Throughout This Year.
Lazarus cover Heimdal security blog

Lazarus Hacking Group Now Focusing on IT Supply Chain Attacks

Researchers Noticed that Lazarus Has Been Conducting Two Different Supply Chain Attack Operations.