Heimdal Security Researchers Discover New ‘DeepBlueMagic’ Ransomware

Researchers at Heimdal Security detected a new ransomware strain that a threat group known as DeepBlueMagic is using. The ransomware differs significantly from all other earlier identified ransomware variants.

Heimdal Security researchers identified the new ransomware on August 11, 2021. The ransomware was utilized to target a device operating on Windows Server 2012 R2. The evaluation of the attack showed that DeepBlueMagic ransomware works entirely differently compared to other previous ransomware variants.

The researchers learned that DeepBlueMagic ransomware deactivates security tools set up on devices to avoid detection, then goes on to encrypt whole hard drives utilizing a third-party disk encryption tool instead of files. All the targeted server’s drives are encrypted except the system drive (“C:\” partition).

The ransomware utilizes Jetico’s BestCrypt Volume Encryption software program. During an attack, the D:\ drive was changed into a RAW partition instead of NTFS, which made it unavailable. Right after an attack, any effort to gain access to the encrypted drive will make the Windows OS interface prompt the user to format the disk because the drive is unreadable.

Additional investigation of the attack showed that the ransomware halted all the targeted device’s third-party Windows services, therefore turning off all security tools. Then, DeepBlueMagic ransomware removed the Volume Shadow Copy in Windows to make sure the drive cannot be repaired. An effort was additionally made to switch on Bitlocker on all the Active Directory’s endpoints.

In this ransomware attack, the disk encryption procedure began yet wasn’t finished; encryption was only done on the volume headers. Therefore, the encryption procedure can be continued, and also there is a rescue file generated by Jetico’s BestCrypt Volume Encryption, which may be utilized to recover the drive; nevertheless, the ransomware also encrypted the rescue file. To get the rescue file, a password is needed.

Heimdal Security explained that the ransomware is then self-deleted after the attack, therefore it cannot be restored and examined at this juncture. The researchers could not ascertain how the attacker installed the ransomware on the server. There were no failed sign-in attempts therefore it wasn’t installed through a brute force attack. There was only a Microsoft Dynamics AAX set up having a Microsoft SQL Server.

There was a ransomware note attached on the desktop, which told the victim to check through email to determine the ransom amount in exchange for the password for recovering the encrypted drives.

According to Heimdal Security researchers, since the encryption process was just partly done, it is possible to recover the drives without paying the ransom. They simulated the process of DeepBlueMagic and tried to utilize a number of decryption tools and successfully recovered the files on the encrypted partition utilizing CGSecurity.org’s free TestDisk tool.

The present ransomware issue is hot at this time with a large number of companies being impacted every day around the world. Financial losses amount to millions of dollars and there are serious social implications. This new ransomware variant just further stresses the cyber criminals’ inclination and capability to improve their business and continually increase their profit. DeepBlueMagic along with the other new cyber attackers will, definitely, continue targeting businesses worldwide, therefore it’s important for business owners to begin implementing prevention steps instead of mitigation. The battle between cyber crooks and cybersecurity organizations will likely intensify.