Heimdal Security was alerted to an incident that revealed a ransomware attack targeting Windows systems from a previously unknown actor. The incident was reported to their team on August 11, 2019.
The ransomware note was signed by an actor calling themselves DeepBlueMagic.
This new ransomware actor uses a complex attack and shows an innovative encryption approach when compared to other ransomware gangs.
Researchers observed the actor using a legitimate disk encryption tool, “BestCrypt Volume Encryption” from Jetico, to encrypt not files, as usually is the case, but the various disks in the server. They did not encrypt only the system volume “C:\.”
The BestCrypt’s rescue file that Jetico usually uses to recover a damaged partition was present on the disk C. But unlike in the legitimate uses of the product, the rescue file was encrypted as well. It required a password to run it.
It is a very unusual approach for a ransomware gang since most of the gangs focus on encrypting files.
The researchers noticed that the encryption process using Jetico’s product stopped soon after its activation. Because of this, only the volume headers were encrypted. After this initial encryption stage, attackers can continue with the process or use JetCryptico rescue file to restore the encrypted disks. However, it should be noted that the file is also encrypted by the operators of ransomware, preventing the victim from doing this themselves to avoid paying a ransom.
Before using Jetico’s “BestCrypt Volume Encryption,” the ransomware stopped all the third-party Windows services on the computer before starting its encryption. This step prevented ensured there was no security software running.
DeepBlueMagic’s malware also deleted the Windows Volume Shadow Copy to prevent the possibility of restoring disks to their original state. It also tried to activate Bitlocker on the Windows server OS’s endpoints.