Heimdal security researchers were just informed about a new ransomware strain, signed by a group called DeepBlueMagic. Apparently, the new strain is rather complex, displaying innovative approaches in terms of its file encryption.
The compromised device the researchers analyzed was running Windows Server 2021 R2. So, let’s see what’s so different about the newly emerged DeepBlueMagic ransomware.
A Look Into DeepBlueMagic Ransomware
First of all, the ransomware uses a third-party encryption tool called BestCrypt Volume Encryption by Jetico. Instead of first encrypting files on the victim’s system, the ransomware first targeted different disk drives on the server, with the exception of the system drive located in the the “C:\” partition).”
“The “BestCrypt Volume Encryption” was still present on the accessible disk, C, alongside a file named “rescue.rsc”, a rescue file habitually used by Jetico’s software to recover the partition in case of damage. But unlike in the legitimate uses of the software, the rescue file itself was encrypted as well by Jetico’s product, using the same mechanism, and requiring a password in order to be able to open it,” Heimdal explained.
This is not the usual modus operandi used by most ransomware families out there. Most ransomware infections focus on encrypting files.
“Further analysis revealed that the encryption process was started using Jetico’s product, and stopped right after its initiation. Therefore, following this go-around process, the drive was only partially encrypted, with just the volume headers being affected. The encryption can be either continued or restored using the rescue file of Jetico’s “BestCrypt Volume Encryption”, but that file was also encrypted by the ransomware operators,” the report added.
DeepBlueMagic ransomware also deleted Volume Shadow Copies to make sure file restoration is not possible. Since it was detected on a Windows server operating system, the ransomware also attempted to activate Bitlocker on all endpoints in that active directory.
“Unfortunately, the ransomware also self-deleted any trace of the original executable file except the traces of the legitimate Jetico tool. That means we didn’t get a sample of it this time so we can perform more analysis on it in a safe virtual machine environment,” Heimdal added. Fortunately, the information the researchers got was enough to compile a technical report of the incident and the ransomware’s characteristics.
What about DeepBlueMagic’s ransom note?
It was dropped on the desktop in a text file called “Hello world.” Here’s what it says, with some detailed edited for security reasons:
Hello. Your company’s server hard drive was encrypted by us.
We use the most complex encryption algorithm (AES256). Only we can decrypt.
Please contact us: [email address 1] (Please check spam, Avoid missing mail)
Identification code: ******** (Please tell us the identification code)
Please contact us and we will tell you the amount of ransom and how to pay.
(If the contact is fast, we will give you a discount.)
After the payment is successful, we will tell the decrypt password.
In order for you to believe in us, we have prepared the test server. Please contact us and we will tell the test server and decrypt the password.
Please do not scan encrypted hard drives or attempt to recover data. Prevent data corruption.
If we don’t respond. Please contact an alternate mailbox: [email address 2] We will enable the alternate mailbox only if the first mailbox is not working properly.
The good news is that it is possible to partially circumvent this ransomware, at least in the case of the compromised server Heimdal analyzed.
“The affected server was restored due to the ransomware only initiating the encryption process, without actually following it through. Basically, the DeepBlueMagic ransomware only encrypted the headers of the affected partition, in order to break the Shadow Volumes Windows feature,” the researchers shared.