A new ransomware group, named ‘Money Message’, has appeared and is targeting victims worldwide, demanding million-dollar ransoms not to leak data and release a decryptor. The group is already reported to have targeted at least two victims, one of which is an Asian airline with an annual revenue close to $1 billion. The group claims to have stolen files from the company and includes a screenshot of the accessed file system as proof of the breach. This news has raised concerns about the growing number of ransomware attacks.
Money message ransomware
The Money Message ransomware is written in C++ and includes an embedded JSON configuration file determining how a device will be encrypted. This configuration file includes what folders to block from encrypting, what extension to append, what services and processes to terminate, whether logging is enabled, and domain login names and passwords likely used to encrypt other devices.
When launched, the ransomware deletes Shadow Volume Copies and terminates various processes and Windows services. During the encryption process, it does not append any extension, but this can change depending on the victim. The encryptor uses ChaCha20/ECDH encryption when encrypting files, and during our tests, the encryption of files by Money Message was found to be slow compared to other encryptors.
After encrypting the device, the ransomware creates a ransom note named ‘money_message.log’ that contains a link to a TOR negotiation site used to negotiate with the threat actors. The ransomware also warns that it will publish any stolen data on their data leak site if a ransom is not paid.
Victims and impact
The threat actor behind the Money Message ransomware has targeted at least two victims, with one being an Asian airline with an annual revenue close to $1 billion. The group claims to have stolen files from the company and includes a screenshot of the accessed file system as proof of the breach. The emergence of the Money Message ransomware group introduces an additional threat that organizations need to watch out for. Although the encryptor used by the group does not appear sophisticated, it has been confirmed that the operation is successfully stealing data and encrypting devices during their attacks.
Expert analysis
According to security experts, the Money Message ransomware is not a sophisticated one. However, it has been confirmed that the operation is successfully stealing data and encrypting devices during their attacks. Experts will analyze the ransomware, and if a weakness in the encryption is found, this post will be updated.
Recap
The emergence of the Money Message ransomware group highlights the importance of implementing robust cybersecurity measures. Organizations need to have appropriate backups and contingency plans in place to avoid being forced to pay ransoms. Additionally, employees should be trained to identify phishing and other social engineering tactics used by threat actors. In case of any ransomware attacks, victims are advised not to pay the ransom, as it may only encourage the threat actors to continue their criminal activities. Instead, they should immediately contact law enforcement agencies and seek help from cybersecurity professionals to help recover their data and systems.
