Researchers at Heimdal Security discovered the new ransomware variant on Wednesday, August 11, 2021, which is being used by a group of threats calling themselves DeepBlueMagic. This ransomware works in a completely different way than any other ransomware found in the past.
This ransomware uses a third-party encryption tool called BestCrypt Volume Encryption from Jetico. Instead of first encrypting the files on the victim’s system, the ransomware first targeted different drives on the server, with the exception of the system drive located on the “C: \” Partition). ” The BestCrypt volume encryption was present on the accessible disk, C, along with a file called “rescue.rsc”, a rescue file commonly used by these classes of threats to recover the partition in case of damage. But unlike the legitimate uses of the software, the ransom file itself was also encrypted by the product, using the same mechanism, and requiring a password to open it.
Unfortunately DeepBlueMagic ransomware also removes Volume Shadow Copies to ensure that file restoration is not possible. Since it was detected on a Windows server operating system, the ransomware also tried to activate Bitlocker on all endpoints of that active directory, so the best we can do is save sample backup copies on other external devices.
Fortunately, it seems that it is possible to partially bypass this ransomware or at least in the case of the compromised server that Heimdal analyzed. According to Heimdal, the affected server was restored because the ransomware only started the encryption process, without actually following it. Fundamentally, the DeepBlueMagic ransomware only encrypted the headers of the affected partition, to break the function of Windows Shadow Volumes, ”the researchers shared.
Related reads:
Acute dangerous high-risk Ransomware
Nephilim Ransomware targets wealthy companies
Hades ransomware targetting businesses
