New Ransomware Actor DeepBlueMagic Uses Unusual Encryption Method

New Ransomware Actor DeepBlueMagic Uses Unusual Encryption Method

Heimdal Security was alerted to an incident that revealed a ransomware attack targeting Windows systems from a previously unknown actor. The incident was reported to their team on August 11, 2019.

The ransomware note was signed by an actor calling themselves DeepBlueMagic.

This new ransomware actor uses a complex attack and shows an innovative encryption approach when compared to other ransomware gangs.

Researchers observed the actor using a legitimate disk encryption tool, “BestCrypt Volume Encryption” from Jetico, to encrypt not files, as usually is the case, but the various disks in the server. They did not encrypt only the system volume “C:\.”

The BestCrypt’s rescue file that Jetico usually uses to recover a damaged partition was present on the disk C. But unlike in the legitimate uses of the product, the rescue file was encrypted as well. It required a password to run it.

It is a very unusual approach for a ransomware gang since most of the gangs focus on encrypting files.

The researchers noticed that the encryption process using Jetico’s product stopped soon after its activation. Because of this, only the volume headers were encrypted. After this initial encryption stage, attackers can continue with the process or use JetCryptico rescue file to restore the encrypted disks. However, it should be noted that the file is also encrypted by the operators of ransomware, preventing the victim from doing this themselves to avoid paying a ransom.

Before using Jetico’s “BestCrypt Volume Encryption,” the ransomware stopped all the third-party Windows services on the computer before starting its encryption. This step prevented ensured there was no security software running.

DeepBlueMagic’s malware also deleted the Windows Volume Shadow Copy to prevent the possibility of restoring disks to their original state. It also tried to activate Bitlocker on the Windows server OS’s endpoints.

Moreover, the ransomware deleted all traces of the original executable file except the Jetico tool. This means that Heimdal could not get a sample of it and analyze it to gain any insights from it.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.