"Troubling New Disk-Level Encryption Ransomware Surfaces"
A new ransomware variant dubbed DeepBlueMagic has been discovered by researchers at Heimdal Security. According to the researchers, DeepBlueMagic targets different disk drives on a target organization's servers instead of encrypting files on endpoint systems like most ransomware strains. The malware uses a legitimate third-party encryption tool called BestCrypt Volume Encryption from Jetico to initiate encryption on all drives, except the primary system drive on an infected Windows Server 2012 R2 system. The encryption tool was found on an infected machine's system drive, together with a rescue file that Jetico's software uses to recover damaged partitions. However, in this case, the rescue file was encrypted too, and required a password to open it. Heimdal was unable to determine how the attackers gained initial entry to the compromised system. The researchers were also unable to obtain a sample of the original executable file as the ransomware deleted itself from the system. Heimdal's investigation revealed that DeepBlueMagic had begun the encryption process on the infected system's "D:\" drive and almost instantly stopped the process after initiation, which led to the the drive being partially encrypted and turned into a RAW partition (i.e., a partition where the file system structure has been corrupted and, therefore, not recognizable to the system). DeepBlueMagic is designed to disable any behavior-based threat detection tools on a targeted server before the malware starts any encryption. The malware's approach is to stop all third-party Windows services on the system. When the malware finishes encryption, it deletes the Windows Volume Shadow copy, thus making restoration impossible from encrypted drives. This article continues to discuss the tactics and procedures of the new ransomware strain DeepBlueMagic, as well as the effectiveness of disk-level encryption.
Dark Reading reports "Troubling New Disk-Level Encryption Ransomware Surfaces"