Money Message Ransomware Suspected to be Leveraging Stealer Logs
Cyble Research and Intelligence Labs (CRIL) came across a new ransomware group named Money Message. Money Message can encrypt network shares and targets both Windows and Linux operating systems. Upon analyzing Money Message binaries, we noticed a similarity: they contained admin credentials in the configuration, which were then used to target network resources. Based on this, we suspect the threat actors (TA)s might be leveraging stealer logs in their operation.
The group utilizes a double extortion technique to target its victims, which involves exfiltrating the victim’s data before encrypting it. The group uploads the data on their leak site if the ransom is unpaid.
Money Message was first observed in March 2023 and has already affected more than five publicly disclosed victims, with the majority of them being from the United States. The victims belong to different industries, including BFSI, Transportation and Logistics, and Professional Services.
Among the victims of Money Message are also a few companies worth billions of dollars. The leak site of Money Message ransomware is displayed in the figure below.
Technical Analysis
The Money Message ransomware binary (SHA256: dc563953f845fb88c6375b3e9311ebed49ce4bcd613f7044989304c8de384dac) is a 32-bit executable compiled in c/c++.
The figure below shows the file details.
Config Extraction
Upon execution, the ransomware retrieves its configuration settings from the overlay of the ransomware binary. The configuration details are appended to the end of the file at the offset 0XBF000. The configuration contains various parameters, including a ransom note encoded in Base64 format and other settings that determine the ransomware’s behavior during the execution. The following parameters are present in the configuration:
- info_text_message
- mutex_name
- extensions
- skip_directories
- network_public_key
- network_private_key
- processes_to_kill
- logging
- domain_login
- domain_password
- crypt_only_these_directories
- temporary_extension
The below figure shows the configuration Details of the ransomware.
Infection
Afterward, the ransomware creates a mutex using the CreateMutexA() method, with the name “12345-12345-12235-12354”, which it retrieves from the configuration.
The figure below illustrates the process of mutex creation by ransomware.
Figure 5 – Creates Mutex
Now it stops the services present in the configuration file. It first opens the Service Control Manager (SCM) by calling OpenSCManagerW() function. It then calls EnumServicesStatusExW() function to enumerate all the services and their status. If any of the services present in the configuration are found to be running, the ransomware stops them using CloseServiceHandle() function.
The ransomware binary stops the following services:
vss | memtas | Veeam |
sql | mepocs | Backup |
svc$ | Sophos | Vmms |
The figure below shows the function responsible for killing services.
Next, the ransomware captures a list of the actively running processes on the victim’s machine by utilizing the CreateToolhelp32Snapshot() function, and then iterates through each process using the Process32FirstW() and Process32NextW() functions. The ransomware then compares the name of each process with the process list specified in its configuration file. If a match is found, the ransomware terminates the process using the TerminateProcess() function. This ransomware terminates the following process.
sql.exe | sqbcoreservice.exe | mydesktopservice.exe | steam.exe |
oracle.exe | excel.exe | ocautoupds.exe | thebat.exe |
ocssd.exe | infopath.exe | encsvc.exe | thunderbird.exe |
dbsnmp.exe | msaccess.exe | firefox.exe | visio.exe |
synctime.exe | mspub.exe | tbirdconfig.exe | winword.exe |
agntsvc.exe | onenote.exe | mdesktopqos.exe | wordpad.exe |
isqlplussvc.exe | outlook.exe | ocomm.exe | vmms.exe |
xfssvccon.exe | powerpnt.exe | dbeng50.exe | vmwp.exe |
The figure below shows the functions used to identify and terminate processes.
Now this ransomware uses ShellExecuteW() function to execute the “vssadmin.exe delete shadows /all /quiet” command, which deletes all Volume Shadow Copy Service (VSS) snapshots on the system without prompting for confirmation.
The figure below shows the command used by ransomware to delete the shadow copies.
Afterward, the ransomware scans all the available drive letters on the system, starting from A to Z. It uses the GetDriveTypeW() function to identify the type of drive connected to each letter, including fixed, removable, or network drives.
The figure below shows the part of the ransomware code responsible for identifying the drives on the victim’s machines.
Now it fetches the list of file extensions to exclude from the encryption process. The configuration in this ransomware binary has no values for the extension parameter, indicating that the ransomware will encrypt all the files.
It also fetches the following list of directories from the configuration, which will be excluded from the encryption process.
C:msocache | C:program files (x86) |
C:$windows.~ws | C:program files |
C:system volume information | C:$windows.~bt |
C:perflogs | C:windows |
C:programdata | C:windows.old |
C:boot |
The Money message ransomware initiates its encryption process now. It uses the Elliptic Curve Diffie-Hellman (ECDH) key exchange and ChaCha stream cipher algorithm to encrypt data on a victim’s system and demand a ransom for its release.
The figure below shows the cryptographic algorithms present in the binary.
Like other ransomware groups, this ransomware does not rename the file after encryption. The figure below shows the encrypted file.
This ransomware fetches the base64 encoded ransom note from the configuration and then decodes it. It creates a file named money_message.log for writing the ransom note. This note contains the instructions given by the TA.
Lateral Movement
The Money Message ransomware tries to access administrative network shares by calling WNetAddConnection2W() with admin authentication credentials present in the configuration. Once it has gained access to the network using these credentials, the ransomware begins encrypting files in the network shares.
The figure below shows the process used by ransomware to encrypt the network shares.
Conclusion
Money Message is a newly discovered ransomware strain that has victims worldwide. In a specific instance, the group demanded a ransom of USD 500,000, which may vary depending on the targeted organization’s revenue. Additionally, Money Message is capable of encrypting network shares, and its approach to target network shares resembles that of the Maze and Petya ransomware. The fact that the group has already targeted several high-profile organizations, including billion-dollar companies, further highlights the impact of this ransomware. As such, organizations must remain vigilant and take necessary precautions to prevent falling victim to such attacks.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network.
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.
- Refrain from opening untrusted links and email attachments without verifying their authenticity.
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network.
- Disconnect external storage devices if connected.
- Inspect system logs for suspicious events.
Impact And Cruciality of Ransomware
- Loss of valuable data.
- Loss of the organization’s reputation and integrity.
- Loss of the organization’s sensitive business information.
- Disruption in organization operation.
- Monetary loss.
MITRE ATT&CK® Techniques
Tactic | Technique ID | Technique Name |
Execution | T1204 | User Execution |
Defense Evasion | T1140 T1562 |
Deobfuscate/Decode Files or Information Impair Defences |
Discovery | T1007 T1083 T1135 |
System Service Discovery File and Directory Discovery Network Share Discovery |
Lateral Movement | T1021 | Remote Services |
Impact | T1486 T1490 |
Data Encrypted for Impact Inhibit System Recovery |
Indicators of Compromise (IOCs)
Indicators | Indicator Type | Description |
400fa5d02c1ac704cd290d959b725e67 456e5cb1739cb5f29020d1a692289a5af07ce90d dc563953f845fb88c6375b3e9311ebed49ce4bcd613f7044989304c8de384dac |
MD5 SHA1 SHA256 |
Money Message Windows Executable |
abe3c3cc45dec9c01762ba3e534564ed 3b4ecff980285461642cc4aef60d4a1b9708453e 4f8bd37851b772ee91ba54b8fd48304a6520d49ea4a81d751570ea67ef0a9904 |
MD5 SHA1 SHA256 |
Money Message Linux Executable |
163e651162f292028ca9a8d7f1ed7340 a85ff9091f298ea2d6823a7b0053daa08b237423 bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b |
MD5 SHA1 SHA256 |
Money Message Windows Executable |
Yara Rules
rule Win32_Rasomoney_message
{
meta:
description = “this rule detects money message windows executable”
strings:
$a= “TW9uZXkgbWVzc2FnZQ”
$b= “network_public_key”
$c= “network_private_key”
$e= “YmxvZ3ZsN3RqeWp2c2Z0aG9idHR6ZTUydzM2d3dpejM0aHJmY21vcmd2ZHpiNmhpa3VjYjdhcWQub25pb24”
condition:
uint16(0) == 0x5A4D and
($a and $e and $b and $c)
}
Related
Source: https://blog.cyble.com/2023/04/06/demystifying-money-message-ransomware/