New Ransomware, New Method – DeepBlueMagic

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
This new ransomware strain is a complex one, displaying a certain amount of innovation from the standard file-encryption approach of most others.

The affected device from which the ransomware infection originated was running Windows Server 2012 R2. By cleverly making use of a legitimate third-party disk encryption tool, the DeepBlueMagic ransomware started the encryption process not of files on the target’s endpoint, as ransomware usually does, but of the different disk drives on the server, except the system drive (the “C:\” partition). The legit disk encryption third-party tool used is “BestCrypt Volume Encryption” from Jetico. The “BestCrypt Volume Encryption” was still present on the accessible disk, C, alongside a file named “rescue.rsc”, a rescue file habitually used by Jetico’s software to recover the partition in case of damage. But unlike in the legitimate uses of the software, the rescue file itself was encrypted as well by Jetico’s product, using the same mechanism, and requiring a password in order to be able to open it.

It is a very unusual modus operandi for a ransomware strain, since these infections most often focus on files.

The DeepBlueMagic ransomware used Jetico’s product to start the encryption on all the drives except the system drive. The machine was found with the “C:\” drive intact, not encrypted in any way, and with ransom information text files on the desktop. The C drive is a smaller stakes ransomware target since the more valuable files are located on the other partitions, not on the system drive which is used for running executables and performing operations. In this case, it was the “D:\” drive that was turned into a RAW partition rather than the common NTFS, making it inaccessible. Any access attempt would have the Windows OS interface prompt the user to accept formatting the disk since the drive looks broken once encrypted.
Moreover, the ransomware cleared the stage before commencing the encryption. Before using Jetico’s “BestCrypt Volume Encryption”, the malicious software stopped every third-party Windows service found on the computer, to ensure the disabling of any security software which is based on behavior analysis. Leaving any such services active would have led to its immediate detection and blocking. Afterward, DeepBlueMagic deleted the Volume Shadow Copy of Windows to ensure restoration is not possible for the affected drives, and since it was on a Windows server OS, it tried to activate Bitlocker on all the endpoints in that active directory.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Deep down on the same webpage:

Circumventing DeepBlueMagic (Partially)​

The affected server was restored due to the ransomware only initiating the encryption process, without actually following it through. Basically, the DeepBlueMagic ransomware only encrypted the headers of the affected partition, in order to break the Shadow Volumes Windows feature.

Our team of malware analysts managed to restore the files on the inaccessible partition by trying various decryption tools while simulating the DeepBlueMagic process (commencing the encryption and then stopping it).

The tool that succeeded in restoring the files on the locked disk is a free one from CGSecurity.org. So at least there is good news for anyone who is or will be affected by the DeepBlueMagic ransomware, until we find out more about it.

Anyway, this example is a logical development of ransomware and any malware. Simply, the attackers are trying to mimic the legal administrative actions. So, the malicious behavior depends more on the context and much less on the content.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top