A brand new ransomware gang named ‘Cash Message’ has appeared, concentrating on victims worldwide and demanding million-dollar ransoms to not leak knowledge and launch a decryptor.

The brand new ransomware was first reported by a sufferer on the BleepingComputer boards on March 28, 2023, with Zscaler’s ThreatLabz quickly after sharing info on Twitter.

Presently, the menace actor lists two victims on its extortion website, one in all which is an Asian airline with annual income near $1 billion. Moreover, the menace actors declare to have stolen information from the corporate and embody a screenshot of the accessed file system as proof of the breach.

Whereas investigating, BleepingComputer has seen proof of a possible Cash Message breach on a widely known laptop {hardware} vendor. Nonetheless, we’ve got not been in a position to independently affirm the assault with the corporate at the moment.

How Cash Message encrypts a pc

The Cash Message encryptor is written in C++ and contains an embedded JSON configuration file figuring out how a tool shall be encrypted.

This configuration file contains what folders to dam from encrypting, what extension to append, what providers and processes to terminate, whether or not logging is enabled, and area login names and passwords possible used to encrypt different units.

Within the pattern analyzed by BleepingComputer, the ransomware won’t encrypt information within the following folders:

C:msocache,C:$home windows.~ws,C:system quantity info,C:perflogs,C:programdata,C:program information (x86), C:program information,C:$home windows.~bt,C:home windows,C:home windows.previous,C:boot]

When launched, it’ll delete Shadow Quantity Copies utilizing the next command:

cmd.com /c vssadmin.exe delete shadows /all /quiet to clear shadow quantity copies

The ransomware will then terminate the next course of:

sql.exe,oracle.exe,ocssd.exe,dbsnmp.exe,synctime.exe,agntsvc.exe,isqlplussvc.exe,xfssvccon.exe,mydesktopservice.exe,ocautoupds.exe,encsvc.exe,firefox.exe,tbirdconfig.exe,mdesktopqos.exe,ocomm.exe,dbeng50.exe,sqbcoreservice.exe,excel.exe,infopath.exe,msaccess.exe,mspub.exe,onenote.exe,outlook.exe,powerpnt.exe,steam.exe,thebat.exe,thunderbird.exe,visio.exe,winword.exe,wordpad.exe,vmms.exe,vmwp.exe

Subsequent, the ransomware shuts down the next Home windows providers:

vss, sql, svc$, memtas, mepocs, sophos, veeam, backup, vmms

When encrypting information, it won’t append any extension, however this could change relying on the sufferer. Based on safety researcher rivitna, the encryptor makes use of ChaCha20/ECDH encryption when encrypting information.

The one information excluded from encryption by default are:

• desktop.ini
• ntuser.dat
• thumbs.db
• iconcache.db
• ntuser.ini
• ntldr
• bootfont.bin
• ntuser.dat.log
• bootsect.bak
• boot.ini
• autorun.inf

Throughout our assessments, the encryption of the information by Cash Message was pretty sluggish in comparison with different encryptors.

After encrypting the system, the ransomware will create a ransom be aware named money_message.log that accommodates a hyperlink to a TOR negotiation website used to barter with the menace actors.

The ransomware can even warn that they may publish any stolen knowledge on their knowledge leak website if a ransom isn’t paid.

The emergence of the Cash Message ransomware group introduces a further menace that organizations have to be careful for.

Though the encryptor utilized by the group doesn’t seem subtle, it has been confirmed that the operation is efficiently stealing knowledge and encrypting units throughout their assaults.

Consultants will analyze the ransomware, and if a weak spot within the encryption is discovered, we are going to replace this put up.