DeepBlueMagic Ransomware Strain Discovered by Heimdal™ – New Ransomware, New Method
DeepBlueMagic, the New Ransomware on the Horizon. How the Strain Works.
On Wednesday, the 11th of August, in the morning, our team of security experts was alerted to an incident that turned out to be a new ransomware strain along with a ransomware note, signed by a group dubbing themselves ‘DeepBlueMagic’.
This new ransomware strain is a complex one, displaying a certain amount of innovation from the standard file-encryption approach of most others.
Incident Breakdown of the DeepBlueMagic Ransomware Attack
The affected device from which the ransomware infection originated was running Windows Server 2012 R2.
By cleverly making use of a legitimate third-party disk encryption tool, the DeepBlueMagic ransomware started the encryption process not of files on the target’s endpoint, as ransomware usually does, but of the different disk drives on the server, except the system drive (the “C:\” partition).
The legit disk encryption third-party tool used is “BestCrypt Volume Encryption” from Jetico.
The “BestCrypt Volume Encryption” was still present on the accessible disk, C, alongside a file named “rescue.rsc”, a rescue file habitually used by Jetico’s software to recover the partition in case of damage. But unlike in the legitimate uses of the software, the rescue file itself was encrypted as well by Jetico’s product, using the same mechanism, and requiring a password in order to be able to open it.
It is a very unusual modus operandi for a ransomware strain, since these infections most often focus on files.
The DeepBlueMagic ransomware used Jetico’s product to start the encryption on all the drives except the system drive. The machine was found with the “C:\” drive intact, not encrypted in any way, and with ransom information text files on the desktop. The C drive is a smaller stakes ransomware target since the more valuable files are located on the other partitions, not on the system drive which is used for running executables and performing operations.
In this case, it was the “D:\” drive that was turned into a RAW partition rather than the common NTFS, making it inaccessible. Any access attempt would have the Windows OS interface prompt the user to accept formatting the disk since the drive looks broken once encrypted.
Further analysis revealed that the encryption process was started using Jetico’s product, and stopped right after its initiation. Therefore, following this go-around process, the drive was only partially encrypted, with just the volume headers being affected. The encryption can be either continued or restored using the rescue file of Jetico’s “BestCrypt Volume Encryption”, but that file was also encrypted by the ransomware operators.
Moreover, the ransomware cleared the stage before commencing the encryption. Before using Jetico’s “BestCrypt Volume Encryption”, the malicious software stopped every third-party Windows service found on the computer, to ensure the disabling of any security software which is based on behavior analysis. Leaving any such services active would have led to its immediate detection and blocking.
Afterward, DeepBlueMagic deleted the Volume Shadow Copy of Windows to ensure restoration is not possible for the affected drives, and since it was on a Windows server OS, it tried to activate Bitlocker on all the endpoints in that active directory.
We actually warned our audience before about the vulnerability posed by Volume Shadow Copy and how most anti-ransomware security products can fail if they are based on it.
On the affected server, no failed login attempts were found in the audit logs, so the entry point was not based on any brute-force attempt. The server only had a Microsoft Dynamics AAX installed with a Microsoft SQL Server.
Unfortunately, the ransomware also self-deleted any trace of the original executable file except the traces of the legitimate Jetico tool. That means we didn’t get a sample of it this time so we can perform more analysis on it in a safe virtual machine environment. But the information we have for now is enough to recognize its mode of operations and to include protection against it in the next version of Heimdal™ Ransomware Encryption Protection.
The ransomware note was left in a text file on the desktop, named ‘Hello world’. You can read the full note below (some details edited for security reasons):
Hello. Your company’s server hard drive was encrypted by us.
We use the most complex encryption algorithm (AES256). Only we can decrypt.
Please contact us: [email address 1]
(Please check spam, Avoid missing mail)
Identification code: ******** (Please tell us the identification code)
Please contact us and we will tell you the amount of ransom and how to pay.
(If the contact is fast, we will give you a discount.)
After the payment is successful, we will tell the decrypt password.
In order for you to believe in us, we have prepared the test server. Please contact us and we will tell the test server and decrypt the password.
Please do not scan encrypted hard drives or attempt to recover data. Prevent data corruption.
If we don’t respond. Please contact an alternate mailbox: [email address 2]
We will enable the alternate mailbox only if the first mailbox is not working properly.
Circumventing DeepBlueMagic (Partially)
The affected server was restored due to the ransomware only initiating the encryption process, without actually following it through. Basically, the DeepBlueMagic ransomware only encrypted the headers of the affected partition, in order to break the Shadow Volumes Windows feature.
Our team of malware analysts managed to restore the files on the inaccessible partition by trying various decryption tools while simulating the DeepBlueMagic process (commencing the encryption and then stopping it).
The tool that succeeded in restoring the files on the locked disk is a free one from CGSecurity.org. So at least there is good news for anyone who is or will be affected by the DeepBlueMagic ransomware, until we find out more about it.