New Ransomware, New Method – DeepBlueMagic

upnorth

Moderator
Verified
Staff member
Malware Hunter
Jul 27, 2015
4,451
This new ransomware strain is a complex one, displaying a certain amount of innovation from the standard file-encryption approach of most others.

The affected device from which the ransomware infection originated was running Windows Server 2012 R2. By cleverly making use of a legitimate third-party disk encryption tool, the DeepBlueMagic ransomware started the encryption process not of files on the target’s endpoint, as ransomware usually does, but of the different disk drives on the server, except the system drive (the “C:\” partition). The legit disk encryption third-party tool used is “BestCrypt Volume Encryption” from Jetico. The “BestCrypt Volume Encryption” was still present on the accessible disk, C, alongside a file named “rescue.rsc”, a rescue file habitually used by Jetico’s software to recover the partition in case of damage. But unlike in the legitimate uses of the software, the rescue file itself was encrypted as well by Jetico’s product, using the same mechanism, and requiring a password in order to be able to open it.

It is a very unusual modus operandi for a ransomware strain, since these infections most often focus on files.

The DeepBlueMagic ransomware used Jetico’s product to start the encryption on all the drives except the system drive. The machine was found with the “C:\” drive intact, not encrypted in any way, and with ransom information text files on the desktop. The C drive is a smaller stakes ransomware target since the more valuable files are located on the other partitions, not on the system drive which is used for running executables and performing operations. In this case, it was the “D:\” drive that was turned into a RAW partition rather than the common NTFS, making it inaccessible. Any access attempt would have the Windows OS interface prompt the user to accept formatting the disk since the drive looks broken once encrypted.
Moreover, the ransomware cleared the stage before commencing the encryption. Before using Jetico’s “BestCrypt Volume Encryption”, the malicious software stopped every third-party Windows service found on the computer, to ensure the disabling of any security software which is based on behavior analysis. Leaving any such services active would have led to its immediate detection and blocking. Afterward, DeepBlueMagic deleted the Volume Shadow Copy of Windows to ensure restoration is not possible for the affected drives, and since it was on a Windows server OS, it tried to activate Bitlocker on all the endpoints in that active directory.
 

Andy Ful

Level 72
Verified
Trusted
Content Creator
Dec 23, 2014
6,165
Deep down on the same webpage:

Circumventing DeepBlueMagic (Partially)​

The affected server was restored due to the ransomware only initiating the encryption process, without actually following it through. Basically, the DeepBlueMagic ransomware only encrypted the headers of the affected partition, in order to break the Shadow Volumes Windows feature.

Our team of malware analysts managed to restore the files on the inaccessible partition by trying various decryption tools while simulating the DeepBlueMagic process (commencing the encryption and then stopping it).

The tool that succeeded in restoring the files on the locked disk is a free one from CGSecurity.org. So at least there is good news for anyone who is or will be affected by the DeepBlueMagic ransomware, until we find out more about it.

Anyway, this example is a logical development of ransomware and any malware. Simply, the attackers are trying to mimic the legal administrative actions. So, the malicious behavior depends more on the context and much less on the content.
 
Top