Rewterz Threat Alert – A New ‘Money Message’ Ransomware Demands A Million Dollar Ransom – Active IOCs

Severity

High

Analysis Summary

Recently, a new ransomware variant called Money Message has surfaced, attacking victims worldwide. The group has been discovered to be demanding ransoms of up to a million dollars in Bitcoin in order to decrypt files. In one of their recent attacks, they targeted an Asian airline with annual revenue close to $1 billion. It was first reported by a victim on researcher forums and then shared by ThreatLabz on Twitter 

Money Message claims to have successfully accessed the company’s file system, providing a screenshot as proof of the breach. 

It appears that researchers have seen evidence of a potential breach on a well-known computer hardware vendor related to the Money Message ransomware gang.

At this time, it has not been confirmed with the company, so it is unclear what specific data or systems may have been affected. It is also unknown whether the company has taken any steps to contain and mitigate the potential breach.

Money Message ransomware encrypts data and generates a ransom letter (“money message.log” file). Unlike other ransomware variations, Money Message does not rename files (it does not append its extension to filenames). Cybercriminals utilize Money Messages to extort money from victims.

The Money Message encryptor is written in C++ and includes an embedded JSON configuration file. The use of C++ suggests that the Money Message ransomware is likely well-crafted and may use advanced features to evade detection and carry out its malicious activities. Meanwhile, the inclusion of an embedded JSON configuration file can help the malware determine how to encrypt the device and what files to target.

The configuration file includes several parameters, such as the folders to block from encrypting, the extension to append, the services and processes to terminate, and the login names and passwords likely used to encrypt other devices. These parameters suggest that the encryptor may be designed to prevent certain files from being encrypted, terminate specific services and processes to ensure the encryption process runs smoothly, and use domain login credentials to access other devices and perform encryption.

Despite the fact that the group’s encryptor does not appear to be sophisticated, it has been confirmed that the operation is successfully collecting data and encrypting devices throughout their attacks.

To protect your organization from the threat of Money Message and other ransomware attacks, there are various strategies that can be employed. First and foremost, organizations need to ensure that all of their systems are regularly patched and hardened so that vulnerabilities are not exposed. 

Impact

• File Encryption

Indicators of Compromise

MD5

• 163e651162f292028ca9a8d7f1ed7340

SHA-256

• bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b

SHA-1

• a85ff9091f298ea2d6823a7b0053daa08b237423

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls
• Emails from unknown senders should always be treated with caution. Never trust or open links and attachments received from unknown sources/senders.
• Maintain cyber hygiene by updating your anti-virus software and implementing a patch management lifecycle.
• Maintain Offline Backups – In a ransomware attack, the adversary will often delete or encrypt backups if they have access to them. That’s why it’s important to keep offline (preferably off-site), encrypted backups of data and test them regularly.
• Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Additionally, employees need to be trained in cyber security best practices, such as backing up their data, avoiding suspicious links and emails, and not revealing their credentials to unknown sources.
• The measures may also include implementing robust cybersecurity policies and procedures, educating employees on how to identify and prevent ransomware attacks, backing up critical data regularly, and having an incident response plan in place in case of a successful attack. Additionally, it is crucial to stay informed of the latest ransomware trends and threats to ensure that your organization is adequately prepared to defend against them.