A new ransomware group known as “Money Message” has emerged, attacking victims all over the world and demanding $1 million in ransom payments to prevent data leaks and the release of a decryptor. A victim initially reported the new ransomware on March 28, 2023, and Zscaler’s ThreatLabz quickly tweeted about it.
On its extortion website, the threat actor now names two victims, one of which is an Asian airline with yearly sales of about $1 billion. The threat actors further assert that they have taken files from the business and provided a snapshot of the file system that was accessed as evidence of the breach. Evidence of a possible Money Message breach on a well-known computer hardware provider has been uncovered throughout the investigation. However, the ability to independently validate the attack with the corporation has not yet been successful.
The JSON configuration file contained in the C++ code of the Money Message encryptor specifies how a device will be encrypted. This configuration file specifies which files should not be encrypted, what extensions should be added, which processes and services should be stopped, if logging should be enabled, and the domain logins and passwords that are probably used to encrypt additional devices.
In an analyzed sample, the following folders are exempt from the ransomware’s ability to encrypt files:
C:\msocache, C:\$windows.~ws, C:\system volume information, C:\perflogs, C:\programdata, C:\program files (x86), C:\program files, C:\$windows.~bt, C:\windows, C:\windows.old, C:\boot]
When launched, it will make use of the following command to remove Shadow Volume Copies:
cmd.com /c vssadmin.exe delete shadows /all /quiet to clear shadow volume copies
The ransomware will then stop the following processes:
sql.exe,oracle.exe,ocssd.exe,dbsnmp.exe,synctime.exe,agntsvc.exe,isqlplussvc.exe,xfssvccon.exe,mydesktopservice.exe,ocautoupds.exe,encsvc.exe,firefox.exe,tbirdconfig.exe,mdesktopqos.exe,ocomm.exe,dbeng50.exe,sqbcoreservice.exe,excel.exe,infopath.exe,msaccess.exe,mspub.exe,onenote.exe,outlook.exe,powerpnt.exe,steam.exe,thebat.exe,thunderbird.exe,visio.exe,winword.exe,wordpad.exe,vmms.exe,vmwp.exe
The following Windows services are then disabled by the ransomware:
vss, sql, svc$, memtas, mepocs, sophos, veeam, backup, vmms
Although it won’t add any extensions to files when encrypting them, this might vary depending on the victim. The encryptor reportedly encrypts information using ChaCha20/ECDH encryption, according to security researcher rivitna. The only files by default not protected by encryption are:
- desktop.ini
- autorun.inf
- ntuser.dat
- bootsect.bak
- iconcache.db
- ntuser.dat.log
- ntldr
- thumbs.db
- bootfont.bin
- ntuser.ini
- boot.ini
In comparison to other encryptors, Money Message’s encryption of the test files was somewhat sluggish. After the device has been encrypted, the ransomware will produce a ransom letter with the filename money_message.log that includes a link to a TOR negotiation site used to communicate with the threat actors. The ransomware will also warn that they will disclose any stolen data on their data leak website if a ransom is not paid.
The rise of the Money Message ransomware gang adds a new threat that businesses need to be aware of. It has been established that the operation is successfully collecting data and encrypting devices during their operations, even though the group’s encryption tool does not appear to be advanced. Specialists will examine the ransomware, and if a flaw in the encryption is discovered, we will update this report.
