deepbluemagic article cover photo

DeepBlueMagic Ransomware Strain Discovered by Heimdal™ – New Ransomware, New Method

DeepBlueMagic, the New Ransomware on the Horizon. How the Strain Works.

On Wednesday, the 11th of August, in the morning, our team of security experts was alerted to an incident that turned out to be a new ransomware strain along with a ransomware note, signed by a group dubbing themselves ‘DeepBlueMagic’.

This new ransomware strain is a complex one, displaying a certain amount of innovation from the standard file-encryption approach of most others.

Incident Breakdown of the DeepBlueMagic Ransomware Attack

The affected device from which the ransomware infection originated was running Windows Server 2012 R2.

By cleverly making use of a legitimate third-party disk encryption tool, the DeepBlueMagic ransomware started the encryption process not of files on the target’s endpoint, as ransomware usually does, but of the different disk drives on the server, except the system drive (the “C:\” partition).

The legit disk encryption third-party tool used is “BestCrypt Volume Encryption” from Jetico.

The “BestCrypt Volume Encryption” was still present on the accessible disk, C, alongside a file named “rescue.rsc”, a rescue file habitually used by Jetico’s software to recover the partition in case of damage. But unlike in the legitimate uses of the software, the rescue file itself was encrypted as well by Jetico’s product, using the same mechanism, and requiring a password in order to be able to open it.

It is a very unusual modus operandi for a ransomware strain, since these infections most often focus on files.

The DeepBlueMagic ransomware used Jetico’s product to start the encryption on all the drives except the system drive. The machine was found with the “C:\” drive intact, not encrypted in any way, and with ransom information text files on the desktop. The C drive is a smaller stakes ransomware target since the more valuable files are located on the other partitions, not on the system drive which is used for running executables and performing operations.

In this case, it was the “D:\” drive that was turned into a RAW partition rather than the common NTFS, making it inaccessible. Any access attempt would have the Windows OS interface prompt the user to accept formatting the disk since the drive looks broken once encrypted.

Further analysis revealed that the encryption process was started using Jetico’s product, and stopped right after its initiation. Therefore, following this go-around process, the drive was only partially encrypted, with just the volume headers being affected. The encryption can be either continued or restored using the rescue file of Jetico’s “BestCrypt Volume Encryption”, but that file was also encrypted by the ransomware operators.

Moreover, the ransomware cleared the stage before commencing the encryption. Before using Jetico’s “BestCrypt Volume Encryption”, the malicious software stopped every third-party Windows service found on the computer, to ensure the disabling of any security software which is based on behavior analysis. Leaving any such services active would have led to its immediate detection and blocking.

Afterward, DeepBlueMagic deleted the Volume Shadow Copy of Windows to ensure restoration is not possible for the affected drives, and since it was on a Windows server OS, it tried to activate Bitlocker on all the endpoints in that active directory.

We actually warned our audience before about the vulnerability posed by Volume Shadow Copy and how most anti-ransomware security products can fail if they are based on it.

On the affected server, no failed login attempts were found in the audit logs, so the entry point was not based on any brute-force attempt. The server only had a Microsoft Dynamics AAX installed with a Microsoft SQL Server.

Unfortunately, the ransomware also self-deleted any trace of the original executable file except the traces of the legitimate Jetico tool. That means we didn’t get a sample of it this time so we can perform more analysis on it in a safe virtual machine environment. But the information we have for now is enough to recognize its mode of operations and to include protection against it in the next version of Heimdal™ Ransomware Encryption Protection.

The ransomware note was left in a text file on the desktop, named ‘Hello world’. You can read the full note below (some details edited for security reasons):

Hello. Your company’s server hard drive was encrypted by us.

We use the most complex encryption algorithm (AES256). Only we can decrypt.

Please contact us: [email address 1]

(Please check spam, Avoid missing mail)

Identification code: ******** (Please tell us the identification code)

Please contact us and we will tell you the amount of ransom and how to pay.

(If the contact is fast, we will give you a discount.)

After the payment is successful, we will tell the decrypt password.

In order for you to believe in us, we have prepared the test server. Please contact us and we will tell the test server and decrypt the password.

Please do not scan encrypted hard drives or attempt to recover data. Prevent data corruption.


If we don’t respond. Please contact an alternate mailbox: [email address 2]

We will enable the alternate mailbox only if the first mailbox is not working properly.


Circumventing DeepBlueMagic (Partially)

The affected server was restored due to the ransomware only initiating the encryption process, without actually following it through. Basically, the DeepBlueMagic ransomware only encrypted the headers of the affected partition, in order to break the Shadow Volumes Windows feature.

Our team of malware analysts managed to restore the files on the inaccessible partition by trying various decryption tools while simulating the DeepBlueMagic process (commencing the encryption and then stopping it).

The tool that succeeded in restoring the files on the locked disk is a free one from So at least there is good news for anyone who is or will be affected by the DeepBlueMagic ransomware, until we find out more about it.

Patch management tools cover

8 Free and Open Source Patch Management Tools for Your Company

Patch Management Tools Are Essential for Your Enterprise Cybersecurity. Here Are Your Best Open Source Alternatives.
Emotet malware cover artwork

Emotet Malware Over the Years: The History of an Infamous Cyber-Threat

What Is Emotet Malware and How Can You Stop It? Protecting Your Business from the Most Resilient Trojan Out There
Do you or someone you know have ever been infected with ransomware?
vmware critical bug exploited

Hackers Are Scanning for the Vulnerability Found in Vmware

The Threat Actors Started Targeting the Internet-Exposed Vmware Vcenter Servers.

The malicious actors are going after the CVE-2021-22005 that is unpatched against a critical arbitrary file upload vulnerability.

This vulnerability that was recently patched could lead to remote code execution, as it impacts all vCenter Server 6.7 and 7.0 deployments with default configurations.

While the exploit code has not yet been made public, threat intelligence firm Bad Packets has detected active scanning activity, with some of its VMware honeypots documenting attackers looking for the serious issue mere hours after VMware published security patches.

Threat actors have previously looked for and targeted weak VMware vCenter systems.

After security researchers revealed proof-of-concept (PoC) exploit code for another severe RCE security hole (CVE-2021-21972) affecting all default vCenter installs in February, attackers scoured the internet for unpatched vCenter appliances.

Following the publication of the attack code online in June, scanning for Internet-exposed VMware vCenter systems left susceptible to CVE-2021-21985 RCE exploits commenced.

Possible Incoming Exploitation Attempts

The ongoing scans are coming soon after the warning issued by VMware in which it was highlighted the importance of patching servers against the CVE-2021-22005 bug as soon as possible.

This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server.

In this era of ransomware, it is safest to assume that an attacker is already inside your network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.


VMware provided a workaround that requires the admins to edit a text file on the virtual appliance and restart the services manually or by using a script in order to remove the exploitation vector.

Immediately, the ramifications of this vulnerability are serious and it is a matter of time – likely minutes after the disclosure – before working exploits are publicly available.

With the threat of ransomware looming nowadays, the safest stance is to assume that an attacker may already have control of a desktop and a user account through the use of techniques like phishing or spearphishing and act accordingly.

This means the attacker may already be able to reach vCenter Server from inside a corporate firewall, and time is of the essence.


RaidForums cover Heimdal security blog

The RaidForums Data Marketplace Mistakenly Makes Confidential Staff Pages Public

Everyone Was Able to See Bans-related Conversations, Various Requests, and Others.
Cover Image Conti ransomware attacks

Conti Ransomware Attacks on the Rise, FBI, CISA, and NSA Warn

They Published a Joint Advisory with Mitigation Measures against Conti.
Apple deprecates TLS Heimdal cover Heimdal security blog

Apple Announced that TLS 1.0 and 1.1 Has Been Deprecated in iOS 15, iPadOS 15, macOS 12, and More

The Tech Giant Also Stated that Support for the Protocols Will Be Removed in Future Releases.