December 9, 2023

Researchers have spotted a new emerging threat group dubbed Money Ransomware. It has adopted the increasingly popular tactic of encrypting and exfiltrating sensitive data from organizations and threatening to leak it if the victim refuses to pay.

Based on the analysis of the sample from one of its victims, researchers detailed out the tactics used by the threat actor in phases.


The first phase of the execution of the malware is to install a Mutex in order to keep track of the already locked machines. But, if the mutex creation fails, the infection goes on, with the risk to encrypt a second time the machine.

Then, the shadow copies are deleted by executing vssadmin, but before doing that, it disables the redirection to the WOW64 directory instead in order to force the execution of the command System32 Directory.

The next phase of the locking process is to kill the processes that can get a handle to file to encrypt.

The list of the processes to kill is the following:

  • sql.exe
  • oracle.exe
  • ocssd.exe
  • dbsnmp.exe
  • synctime.exe
  • agntsvc.exe
  • isqlplussvc.exe
  • xfssvccon.exe
  • mydesktopservice.exe
  • ocautoupds.exe
  • encsvc.exe
  • firefox.exe
  • tbirdconfig.exe
  • mdesktopqos.exe
  • ocomm.exe
  • dbeng50.exe
  • sqbcoreservice.exe
  • excel.exe
  • infopath.exe
  • msaccess.exe
  • mspub.exe
  • onenote.exe
  • outlook.exe
  • powerpnt.exe
  • steam.exe
  • thebat.exe
  • thunderbird.exe
  • visio.exe
  • winword.exe
  • wordpad.exe
  • vmwp.exe

The malware proceeds to halt antimalware services that could potentially disrupt the encryption process.

The list of services targeted in this specific case includes:

  • vss
  • sql
  • svc$
  • memtas
  • mepocs
  • sophos
  • veeam
  • backup
  • vmms

One of the most serious capabilities of the ransomware is the ability to propagate the locking process through the network. It uses two different ways to perform that operation. The first one is to iterate and inside all the connected devices of the machine.


The second one is sneakier because it attempts to login to hardcoded domain accounts using the API function WNetAddConnection2W – a Windows API function that allows a program to connect to network resources, such as shared drives or printers, by establishing a network connection.

For the encryption process, the ransomware employs a combination of the Elliptic Curve Diffie-Hellman (ECDH) and ChaCha20 algorithms.

To manage the file encryption process. It uses a technique for checking the file’s footer. By using the SetFilePointerEx API call, the ransomware moves the file pointer to -172 from the end, searching for the hexadecimal pattern “90 00 00 00”, which indicates the start of the footer. This approach helps prevent the encryption of the same file twice.

To mitigate this risk, it is vital for organizations to adopt a proactive approach to network security. This includes regularly patching and updating software, employing firewalls and other network security tools, and educating employees on how to recognize and avoid common phishing and social engineering attacks.


This research was documented by researchers from Yoroi

Indicators of Compromise


1 thought on “Money Ransomware Dissection

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.