Cyble – Demystifying Money Message Ransomware 

Money Message Ransomware Suspected to be Leveraging Stealer Logs

Cyble Research and Intelligence Labs (CRIL) came across a new ransomware group named Money Message. Money Message can encrypt network shares and targets both Windows and Linux operating systems. Upon analyzing Money Message binaries, we noticed a similarity: they contained admin credentials in the configuration, which were then used to target network resources. Based on this, we suspect the threat actors (TA)s might be leveraging stealer logs in their operation.  

The group utilizes a double extortion technique to target its victims, which involves exfiltrating the victim’s data before encrypting it. The group uploads the data on their leak site if the ransom is unpaid.  

Money Message was first observed in March 2023 and has already affected more than five publicly disclosed victims, with the majority of them being from the United States. The victims belong to different industries, including BFSI, Transportation and Logistics, and Professional Services. 

image 2
Figure 1 – Money Message Victim’s Distribution 

Among the victims of Money Message are also a few companies worth billions of dollars. The leak site of Money Message ransomware is displayed in the figure below.  

image 3
Figure 2 – Leak Site 

Technical Analysis

The Money Message ransomware binary (SHA256: dc563953f845fb88c6375b3e9311ebed49ce4bcd613f7044989304c8de384dac) is a 32-bit executable compiled in c/c++.  

The figure below shows the file details.  

image 1
Figure 3 – File Details 

Config Extraction

Upon execution, the ransomware retrieves its configuration settings from the overlay of the ransomware binary. The configuration details are appended to the end of the file at the offset 0XBF000. The configuration contains various parameters, including a ransom note encoded in Base64 format and other settings that determine the ransomware’s behavior during the execution. The following parameters are present in the configuration: 

  • info_text_message 
  • mutex_name 
  • extensions 
  • skip_directories 
  • network_public_key 
  • network_private_key 
  • processes_to_kill 
  • logging 
  • domain_login 
  • domain_password 
  • crypt_only_these_directories 
  • temporary_extension 

The below figure shows the configuration Details of the ransomware. 

Figure 4 – Configuration Details
Figure 4 – Configuration Details 

Infection

Afterward, the ransomware creates a mutex using the CreateMutexA() method, with the name “12345-12345-12235-12354”, which it retrieves from the configuration.  

The figure below illustrates the process of mutex creation by ransomware.  

Figure 5 Creates

Figure 5 – Creates Mutex 

Now it stops the services present in the configuration file. It first opens the Service Control Manager (SCM) by calling OpenSCManagerW() function. It then calls EnumServicesStatusExW() function to enumerate all the services and their status. If any of the services present in the configuration are found to be running, the ransomware stops them using CloseServiceHandle() function 

The ransomware binary stops the following services: 

vss  memtas  Veeam 
sql  mepocs  Backup 
svc$  Sophos  Vmms 

The figure below shows the function responsible for killing services.  

Figure 6 Kills Services
Figure 6 – Kills Services 

Next, the ransomware captures a list of the actively running processes on the victim’s machine by utilizing the CreateToolhelp32Snapshot() function, and then iterates through each process using the Process32FirstW() and Process32NextW() functions. The ransomware then compares the name of each process with the process list specified in its configuration file. If a match is found, the ransomware terminates the process using the TerminateProcess() function. This ransomware terminates the following process. 

sql.exe  sqbcoreservice.exe  mydesktopservice.exe  steam.exe 
oracle.exe  excel.exe  ocautoupds.exe  thebat.exe 
ocssd.exe  infopath.exe  encsvc.exe  thunderbird.exe 
dbsnmp.exe  msaccess.exe  firefox.exe  visio.exe 
synctime.exe  mspub.exe  tbirdconfig.exe  winword.exe 
agntsvc.exe  onenote.exe  mdesktopqos.exe  wordpad.exe 
isqlplussvc.exe  outlook.exe  ocomm.exe  vmms.exe 
xfssvccon.exe  powerpnt.exe  dbeng50.exe  vmwp.exe 

The figure below shows the functions used to identify and terminate processes. 

Figure 7 Terminates Process
Figure 7 – Terminates Process  

Now this ransomware uses ShellExecuteW() function to execute the “vssadmin.exe delete shadows /all /quiet” command, which deletes all Volume Shadow Copy Service (VSS) snapshots on the system without prompting for confirmation.  

The figure below shows the command used by ransomware to delete the shadow copies.  

Figure 8 Deletes Shadow Copies
Figure 8 – Deletes Shadow Copies 

Afterward, the ransomware scans all the available drive letters on the system, starting from A to Z. It uses the GetDriveTypeW() function to identify the type of drive connected to each letter, including fixed, removable, or network drives.  

The figure below shows the part of the ransomware code responsible for identifying the drives on the victim’s machines.  

Figure 9 Identifies Drive
Figure 9 – Identifies Drive 

Now it fetches the list of file extensions to exclude from the encryption process. The configuration in this ransomware binary has no values for the extension parameter, indicating that the ransomware will encrypt all the files.  

It also fetches the following list of directories from the configuration, which will be excluded from the encryption process.  

C:msocache  C:program files (x86) 
C:$windows.~ws  C:program files 
C:system volume information  C:$windows.~bt 
C:perflogs  C:windows 
C:programdata  C:windows.old 
C:boot   

The Money message ransomware initiates its encryption process now. It uses the Elliptic Curve Diffie-Hellman (ECDH) key exchange and ChaCha stream cipher algorithm to encrypt data on a victim’s system and demand a ransom for its release.  

The figure below shows the cryptographic algorithms present in the binary.  

Figure 10 Encryption Algorithm
Figure 10 – Encryption Algorithm 

Like other ransomware groups, this ransomware does not rename the file after encryption. The figure below shows the encrypted file.  

Figure 11 Encrypted File
Figure 11 – Encrypted File 

This ransomware fetches the base64 encoded ransom note from the configuration and then decodes it. It creates a file named money_message.log for writing the ransom note. This note contains the instructions given by the TA.  

image
Figure 12 – Ransom Note 

Lateral Movement 

The Money Message ransomware tries to access administrative network shares by calling WNetAddConnection2W() with admin authentication credentials present in the configuration. Once it has gained access to the network using these credentials, the ransomware begins encrypting files in the network shares.  

The figure below shows the process used by ransomware to encrypt the network shares.  

image 4
Figure 13 – Lateral Movement 

Conclusion 

Money Message is a newly discovered ransomware strain that has victims worldwide. In a specific instance, the group demanded a ransom of USD 500,000, which may vary depending on the targeted organization’s revenue. Additionally, Money Message is capable of encrypting network shares, and its approach to target network shares resembles that of the Maze and Petya ransomware. The fact that the group has already targeted several high-profile organizations, including billion-dollar companies, further highlights the impact of this ransomware. As such, organizations must remain vigilant and take necessary precautions to prevent falling victim to such attacks. 

Our Recommendations 

  

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

Safety Measures Needed to Prevent Ransomware Attacks 

  • Conduct regular backup practices and keep those backups offline or in a separate network.   
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.   
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.   
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.   

Users Should Take the Following Steps After the Ransomware Attack 

  • Detach infected devices on the same network.   
  • Disconnect external storage devices if connected.   
  • Inspect system logs for suspicious events.   

Impact And Cruciality of Ransomware

  • Loss of valuable data.   
  • Loss of the organization’s reputation and integrity.   
  • Loss of the organization’s sensitive business information.   
  • Disruption in organization operation.   
  • Monetary loss.   

  

MITRE ATT&CK® Techniques   

Tactic  Technique ID  Technique Name 
Execution  T1204      User Execution   
Defense Evasion  T1140  
T1562  
Deobfuscate/Decode Files or Information  
Impair Defences  
Discovery  T1007 
T1083   
T1135 
System Service Discovery 
File and Directory Discovery   
Network Share Discovery 
Lateral Movement  T1021  Remote Services 
Impact  T1486   
T1490 
Data Encrypted for Impact   
Inhibit System Recovery 

  

Indicators of Compromise (IOCs)

Indicators   Indicator Type   Description  
400fa5d02c1ac704cd290d959b725e67
456e5cb1739cb5f29020d1a692289a5af07ce90d
dc563953f845fb88c6375b3e9311ebed49ce4bcd613f7044989304c8de384dac 
MD5 
SHA1 
SHA256  
Money Message Windows Executable 
abe3c3cc45dec9c01762ba3e534564ed
3b4ecff980285461642cc4aef60d4a1b9708453e
4f8bd37851b772ee91ba54b8fd48304a6520d49ea4a81d751570ea67ef0a9904 
MD5 
SHA1 
SHA256  
Money Message Linux Executable  
163e651162f292028ca9a8d7f1ed7340
a85ff9091f298ea2d6823a7b0053daa08b237423
bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b 
MD5 
SHA1 
SHA256  
Money Message Windows Executable 

Yara Rules

rule Win32_Rasomoney_message 

meta: 

        description    = “this rule detects money message windows executable” 

strings: 

$a= “TW9uZXkgbWVzc2FnZQ” 

$b= “network_public_key” 

$c= “network_private_key” 

$e= “YmxvZ3ZsN3RqeWp2c2Z0aG9idHR6ZTUydzM2d3dpejM0aHJmY21vcmd2ZHpiNmhpa3VjYjdhcWQub25pb24” 

condition: 

uint16(0) == 0x5A4D and 

($a and $e and $b and $c) 

Source: https://blog.cyble.com/2023/04/06/demystifying-money-message-ransomware/