When a ransomware group targets a company, the only thing they’re after would definitely be financial gain. The price might vary, depending on the impact, but to reach a million dollars? That’s huge, especially since this kind of ransom is demanded by a group that’s new to the scene – Money Message.
These newcomers are emerging with a bang, threatening users to leak their data unless they pay 1 million dollars in ransom in exchange for a decryptor not to leak data and release a decryptor.
The capabilities of Money Message are still limited compared to other well-established cybercriminals. However, they’re still effective. Here’s what we know about this new threat.
A Money Message Worth Worth a Million
Basically, ransomware campaigns rely on infiltrating the victims’ systems, encrypting their files, a leaving a ransom note demanding a certain amount of money for a decryptor.
If the ransom is not paid, the threat actors threaten to leak the data online, which can cause major problems for the ones affected.
In some cases, the ransom note includes the prices. However, in most of them, the cybercriminals leave a link that redirects their victims to a page where they can negotiate a price.
Logically, a ransomware group targets big companies that can benefit it financially. For example, a while ago, BlackCat targeted a Colombian energy supplier (EPM), and unknown threat actors infiltrated Wabtec in a ransomware attempt.
These are big companies that can generate a lot of revenue, which makes them targets of such malicious campaigns. The ransom varies, but in this particular campaign, it’s huge.
A one-million-dollar ransom is asked by a new group. It’s a bit weird as even well-established groups might not ask for such a price.
As we mentioned, the group is new, but it already has 2 victims to date. One of them is an Asian airline with annual revenue of close to $1 billion.
There are also rumors that Money Message has also breached a well-known computer hardware vendor, but no official information has been provided.
Money Message – Modus Operandi
Now, basically, here’s how Money Message operates. The encryptor is written in C++ with a JSON configuration that aids in examining the files and choosing which ones to encrypt.
The following files don’t get encrypted in the process:
- ntuser.ini
- ntldr
- ntuser.dat.log
- bootsect.bak
- boot.ini
- autorun.inf
- bootfont.bin
- desktop.ini
- ntuser.dat
- thumbs.db
- iconcache.db
According to Bleeping Computer, the ransomware isn’t as effective as other families. In fact, it’s actually pretty slow compared to other encryptors.
Now, once the ransomware is in, it leaves a ransom note named money_message.log, containing a link to a TOR site to negotiate the ransom.
As seen in the note, Money Message warns that they’ll post the files in case a deal was never met. While they’re still new, they do pose an additional threat that organizations need to watch out for.
One Heck of a Ransom – Message Received
Ransomware groups are increasing in numbers every day. There’s no telling when others will show up, presenting new threats to organizations everywhere.
Even if you’re an individual that has nothing to do with “Billions of revenue,” you should always stay vigilant when it comes to handling your data and emails.
Treat any email as a phishing one. If there’s a link, follow it manually – don’t click on it unless you’re 100% sure it’s from a legit source. Stay safe.
