The Information Highway

The Information Highway

Font size: +
2 minutes reading time (446 words)

New Money Message ransomware demands million dollar ransoms

A new ransomware gang named 'Money Message' has appeared, targeting victims worldwide and demanding million-dollar ransoms not to leak data and release a decryptor.

The new ransomware was first reported by a victim on the BleepingComputer forums on March 28, 2023, with Zscaler's ThreatLabz soon after sharing information on Twitter.

Currently, the threat actor lists two victims on its extortion site, one of which is an Asian airline with annual revenue close to $1 billion. Additionally, the threat actors claim to have stolen files from the company and include a screenshot of the accessed file system as proof of the breach

The group's Tor site (BleepingComputer)

While investigating, BleepingComputer has seen evidence of a potential Money Message breach on a well-known computer hardware vendor. However, we have not been able to independently confirm the attack with the company at this time.

How Money Message encrypts a computer

The Money Message encryptor is written in C++ and includes an embedded JSON configuration file determining how a device will be encrypted.

This configuration file includes what folders to block from encrypting, what extension to append, what services and processes to terminate, whether logging is enabled, and domain login names and passwords likely used to encrypt other devices.

In the sample analyzed by BleepingComputer, the ransomware will not encrypt files in the following folders:

When launched, it will delete Shadow Volume Copies using the following command:

The ransomware will then terminate the following process:

Next, the ransomware shuts down the following Windows services:

When encrypting files, it will not append any extension, but this can change depending on the victim. According to security researcher rivitna, the encryptor uses ChaCha20/ECDH encryption when encrypting files.

Money Message's file encryptor (BleepingComputer)

The only files excluded from encryption by default are:

  • desktop.ini
  • ntuser.dat
  • thumbs.db
  • iconcache.db
  • ntuser.ini
  • ntldr
  • bootfont.bin
  • ntuser.dat.log
  • bootsect.bak
  • boot.ini
  • autorun.inf

During our tests, the encryption of the files by Money Message was fairly slow compared to other encryptors.

After encrypting the device, the ransomware will create a ransom note named money_message.log that contains a link to a TOR negotiation site used to negotiate with the threat actors.

The ransomware will also warn that they will publish any stolen data on their data leak site if a ransom is not paid.

The ransom note (BleepingComputer)

The emergence of the Money Message ransomware group introduces an additional threat that organizations need to watch out for.

Although the encryptor used by the group does not appear sophisticated, it has been confirmed that the operation is successfully stealing data and encrypting devices during their attacks.

Experts will analyze the ransomware, and if a weakness in the encryption is found, we will update this post.

What is the CCPA? Definition and Compliance Guidel...
DISH slapped with multiple lawsuits after ransomwa...
 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023