Home Technology New Cash Message ransomware calls for million greenback ransoms

New Cash Message ransomware calls for million greenback ransoms




A brand new ransomware gang named ‘Cash Message’ has appeared, concentrating on victims worldwide and demanding million-dollar ransoms to not leak knowledge and launch a decryptor.

The brand new ransomware was first reported by a sufferer on the BleepingComputer boards on March 28, 2023, with Zscaler’s ThreatLabz quickly after sharing info on Twitter.

Presently, the menace actor lists two victims on its extortion website, one in all which is an Asian airline with annual income near $1 billion. Moreover, the menace actors declare to have stolen information from the corporate and embody a screenshot of the accessed file system as proof of the breach.

The group's Tor site
The group’s Tor website (BleepingComputer)

Whereas investigating, BleepingComputer has seen proof of a possible Cash Message breach on a widely known laptop {hardware} vendor. Nonetheless, we’ve got not been in a position to independently affirm the assault with the corporate at the moment.

How Cash Message encrypts a pc

The Cash Message encryptor is written in C++ and contains an embedded JSON configuration file figuring out how a tool shall be encrypted.

This configuration file contains what folders to dam from encrypting, what extension to append, what providers and processes to terminate, whether or not logging is enabled, and area login names and passwords possible used to encrypt different units.

Within the pattern analyzed by BleepingComputer, the ransomware won’t encrypt information within the following folders:

C:msocache,C:$home windows.~ws,C:system quantity info,C:perflogs,C:programdata,C:program information (x86), C:program information,C:$home windows.~bt,C:home windows,C:home windows.previous,C:boot]

When launched, it’ll delete Shadow Quantity Copies utilizing the next command:

cmd.com /c vssadmin.exe delete shadows /all /quiet to clear shadow quantity copies

The ransomware will then terminate the next course of:


Subsequent, the ransomware shuts down the next Home windows providers:

vss, sql, svc$, memtas, mepocs, sophos, veeam, backup, vmms

When encrypting information, it won’t append any extension, however this could change relying on the sufferer. Based on safety researcher rivitna, the encryptor makes use of ChaCha20/ECDH encryption when encrypting information.

Money Message's file encryptor
Cash Message’s file encryptor (BleepingComputer)

The one information excluded from encryption by default are:

  • desktop.ini
  • ntuser.dat
  • thumbs.db
  • iconcache.db
  • ntuser.ini
  • ntldr
  • bootfont.bin
  • ntuser.dat.log
  • bootsect.bak
  • boot.ini
  • autorun.inf

Throughout our assessments, the encryption of the information by Cash Message was pretty sluggish in comparison with different encryptors.

After encrypting the system, the ransomware will create a ransom be aware named money_message.log that accommodates a hyperlink to a TOR negotiation website used to barter with the menace actors.

The ransomware can even warn that they may publish any stolen knowledge on their knowledge leak website if a ransom isn’t paid.

The ransom note
The ransom be aware (BleepingComputer)

The emergence of the Cash Message ransomware group introduces a further menace that organizations have to be careful for.

Though the encryptor utilized by the group doesn’t seem subtle, it has been confirmed that the operation is efficiently stealing knowledge and encrypting units throughout their assaults.

Consultants will analyze the ransomware, and if a weak spot within the encryption is discovered, we are going to replace this put up.



Please enter your comment!
Please enter your name here