Heimdal Security researchers have unearthed a new ransomware strain along with a ransomware note, signed by a group calling itself ‘DeepBlueMagic’. On Wednesday, 11th of August, security researchers detected ‘DeepBlueMagic’ which had been used in an attack on a device running Windows Server 2012 R2. The ransomware operates differently from all other previously detected ransomware strains, researchers said after analyzing the ransomware variant.Modus Operandi of DeepBlueMagic Ransomware DeepBlueMagic ransomware used a legitimate third-party encryption tool called ‘BestCrypt Volume Encryption’ by Jetico. Instead of encrypting files on the victim’s system, the ransomware first targeted different disk drives on the server, with the exception of the system drive located in the (“C:” partition).“The ‘BestCrypt Volume Encryption’ was still present on the accessible disk, C, alongside a file named ‘rescue.rsc’, a rescue file commonly used by Jetico’s software to retrieve the partition in case of damage. But unlike in the legitimate uses of the software, the rescue file itself was encrypted as well by Jetico’s product, using the same mechanism, and requiring a password in order to be able to open it,” Heimdal explained. The methodology used by DeepBlueMagic ransomware is considerably unique because most ransomware families out there focus on encrypting files. “Further analysis revealed that the encryption process was started using Jetico’s product, and stopped right after its initiation. Therefore, following this go-around process, the drive was only partially encrypted, with just the volume headers being affected. The encryption can be either continued or restored using the rescue file of Jetico’s “BestCrypt Volume Encryption”, but that file was also encrypted by the ransomware operators,” the report added.The ransomware also deleted the Volume Shadow ..
Support the originator by clicking the read the rest link below.
