A brand new ransomware gang named ‘Cash Message’ has appeared, focusing on victims worldwide and demanding million-dollar ransoms to not leak knowledge and launch a decryptor.

The brand new ransomware was first reported by a sufferer on the BleepingComputer forums on March 28, 2023, with Zscaler’s ThreatLabz quickly after sharing data on Twitter.

At present, the risk actor lists two victims on its extortion web site, one in every of which is an Asian airline with annual income near $1 billion. Moreover, the risk actors declare to have stolen recordsdata from the corporate and embody a screenshot of the accessed file system as proof of the breach.

Whereas investigating, BleepingComputer has seen proof of a possible Cash Message breach on a well known pc {hardware} vendor. Nonetheless, we have now not been in a position to independently affirm the assault with the corporate presently.

How Cash Message encrypts a pc

The Cash Message encryptor is written in C++ and consists of an embedded JSON configuration file figuring out how a tool might be encrypted.

This configuration file consists of what folders to dam from encrypting, what extension to append, what companies and processes to terminate, whether or not logging is enabled, and area login names and passwords possible used to encrypt different gadgets.

Within the pattern analyzed by BleepingComputer, the ransomware is not going to encrypt recordsdata within the following folders:

C:msocache,C:$home windows.~ws,C:system quantity data,C:perflogs,C:programdata,C:program recordsdata (x86), C:program recordsdata,C:$home windows.~bt,C:home windows,C:home windows.outdated,C:boot]

When launched, it can delete Shadow Quantity Copies utilizing the next command:

cmd.com /c vssadmin.exe delete shadows /all /quiet to clear shadow quantity copies

The ransomware will then terminate the next course of:

sql.exe,oracle.exe,ocssd.exe,dbsnmp.exe,synctime.exe,agntsvc.exe,isqlplussvc.exe,xfssvccon.exe,mydesktopservice.exe,ocautoupds.exe,encsvc.exe,firefox.exe,tbirdconfig.exe,mdesktopqos.exe,ocomm.exe,dbeng50.exe,sqbcoreservice.exe,excel.exe,infopath.exe,msaccess.exe,mspub.exe,onenote.exe,outlook.exe,powerpnt.exe,steam.exe,thebat.exe,thunderbird.exe,visio.exe,winword.exe,wordpad.exe,vmms.exe,vmwp.exe

Subsequent, the ransomware shuts down the next Home windows companies:

vss, sql, svc$, memtas, mepocs, sophos, veeam, backup, vmms

When encrypting recordsdata, it is not going to append any extension, however this could change relying on the sufferer. In response to safety researcher rivitna, the encryptor makes use of ChaCha20/ECDH encryption when encrypting recordsdata.

The one recordsdata excluded from encryption by default are:

• desktop.ini
• ntuser.dat
• thumbs.db
• iconcache.db
• ntuser.ini
• ntldr
• bootfont.bin
• ntuser.dat.log
• bootsect.bak
• boot.ini
• autorun.inf

Throughout our assessments, the encryption of the recordsdata by Cash Message was pretty gradual in comparison with different encryptors.

After encrypting the machine, the ransomware will create a ransom notice named money_message.log that accommodates a hyperlink to a TOR negotiation web site used to barter with the risk actors.

The ransomware will even warn that they are going to publish any stolen knowledge on their knowledge leak web site if a ransom is just not paid.

The emergence of the Cash Message ransomware group introduces an extra risk that organizations must be careful for.

Though the encryptor utilized by the group doesn’t seem subtle, it has been confirmed that the operation is efficiently stealing knowledge and encrypting gadgets throughout their assaults.

Consultants will analyze the ransomware, and if a weak point within the encryption is discovered, we’ll replace this put up.