March 24, 2023

Heimdal security researchers were just informed about a new ransomware strain, signed by a group called DeepBlueMagic.

It uses a third-party encryption tool called BestCrypt Volume Encryption. Instead of first encrypting files on the victim’s system, the ransomware first targeted different disk drives on the server, with the exception of the system drive located in the the “C:\” partition.”

The “BestCrypt Volume Encryption” was still present on the accessible disk, C, alongside a file named “rescue.rsc”, a rescue file habitually used by Jetico’s software to recover the partition in case of damage. But unlike in the legitimate uses of the software, the rescue file itself was encrypted as well by Jetico’s product, using the same mechanism, and requiring a password in order to be able to open it.

The encryption process was started using Jetico’s product, and stopped right after its initiation. Therefore, following this go-around process, the drive was only partially encrypted, with just the volume headers being affected. The encryption can be either continued or restored using the rescue file of Jetico’s “BestCrypt Volume Encryption”, but that file was also encrypted by the ransomware operators.

DeepBlueMagic ransomware also deleted Volume Shadow Copies to make sure file restoration is not possible. Since it was detected on a Windows server operating system, the ransomware also attempted to activate Bitlocker on all endpoints in that active directory.

This ransomware also self-deleted any trace of the original executable file except the traces of the legitimate Jetico tool. Due to which no files has been collected for analysis.

Ransom note

Hello. Your company’s server hard drive was encrypted by us.
We use the most complex encryption algorithm (AES256). Only we can decrypt.
Please contact us: [email address 1] (Please check spam, Avoid missing mail)
Identification code: ******** (Please tell us the identification code)
Please contact us and we will tell you the amount of ransom and how to pay.
(If the contact is fast, we will give you a discount.)
After the payment is successful, we will tell the decrypt password.
In order for you to believe in us, we have prepared the test server. Please contact us and we will tell the test server and decrypt the password.
Please do not scan encrypted hard drives or attempt to recover data. Prevent data corruption.
If we don’t respond. Please contact an alternate mailbox: [email address 2] We will enable the alternate mailbox only if the first mailbox is not working properly.

Ransom Note

The affected server was restored due to the ransomware only initiating the encryption process, without actually following it through.DeepBlueMagic ransomware only encrypted the headers of the affected partition, in order to break the Shadow Volumes Windows feature.

Source : Heimdal Security

Leave a Reply

%d bloggers like this: