In the fast-paced digital landscape, cyber threats have unfortunately become a common occurrence. One of the most pernicious threats to emerge recently is a cybercriminal group known as Money Message. In this blog post, we’ll walk you through our analysis of their modus operandi, detailing their tactics and providing tips to keep your data safe.
Who is Money Message?
Active since March 2023, Money Message has been causing havoc across the internet, affecting companies and organizations alike. Unlike typical ransomware which marks encrypted files with a unique extension, Money Message subtly encrypts your files without altering their names. The only trace of their activity is a mysterious file named “money_message.log,” which appear in the root folder of the infected drive.
This group uses this ransom note to extort money from their victims, demanding ransoms in the millions of dollars. Money Message doesn’t hesitate to publicize stolen data if the ransom isn’t paid, as demonstrated by several high-profile companies who’ve had their data published on the group’s blog.
Their targets and method of operation
Money Message has been linked to several attacks on companies including Hawaii Self Storage, Biman Airlines, Lpa-group.com, and Micro Star International, to name a few. Interestingly, the group uses a mix of date formats (MM.DD.YYYY, DD-MM-YYYY, DD.MM.YYYY), possibly as a distraction or to confuse victims.
Key features of money message ransomware
Money Message’s ransomware is unique in many ways. For starters, it uses Microsoft Visual C/C++ and performs double extortion attacks. While it doesn’t add an extension to encrypted files, it actively removes Windows volume shadow copies (backups of files), adding another layer of complexity for victims seeking to recover their data. The ransomware employs a robust encryption algorithm known as ChaCha20/ECDH to make sure the data remains inaccessible until the ransom is paid.
Understanding the attack process
Understanding how the ransomware infects systems can provide valuable insights into preventing such attacks. When the ransomware is launched, it first establishes its dominance by creating a unique identification code or “mutex” to prevent other instances of the same ransomware from running. It then begins its attack by stopping key services related to databases and backup systems, making it harder for victims to recover their data.
Next, the ransomware starts the process of deleting shadow copies to inhibit system recovery and begins searching local drives for files to encrypt. Files stored in key Windows directories are exempt from encryption, likely to keep the system functional and to not arouse suspicion.
Once this prep work is done, Money Message drops its ransom note and starts encrypting files using a public key. In some instances, the ransomware attempts to reach out and encrypt files on remote machines too, if the connections can be made.
1. Post encryption: The ransom note
Once the files have been encrypted, victims will find a ransom note in their C: drive, named money_message.log. The note warns victims about their predicament and outlines the terms for data decryption. It emphasizes the need for a specific decryption tool which can only be acquired by paying the ransom. Furthermore, the note warns victims against attempting self-decryption, citing the risk of irreparable damage to the encrypted files. It also threatens victims with the publication of their encrypted data online if the ransom isn’t paid.
2. Tech talk: Binary code
For the more technically minded readers, the ransomware performs a series of functions before, during, and after the encryption process. These include parsing file size, stopping services, terminating processes, removing shadow copies, dropping ransom notes, and finally, the encryption of files.
3. A more recent variant
Recent analysis shows that the ransomware is being continually updated. A variant discovered with a timestamp from late March 2023 contained similar functionalities with slight modifications like encoded login details and a new configuration item for a temporary extension.
How to protect yourself from Money Message
The key to staying safe from threats like Money Message is taking preventive measures. We recommend:
- Using a reliable antivirus and internet security suite.
- Refraining from clicking on suspicious links.
- Verifying the legitimacy of email attachments before opening.
- Regularly backing up data and storing it on a separate network.
- Keeping your operating system and software updated.
Money Message represents a new wave of cyber threats that are not just technologically advanced but also tactically innovative. Like many other ransomware, the Money Message tool is uploaded and used by attackers tailored to each victim. It’s essential for organizations and individuals to stay informed and take necessary precautions to prevent becoming a victim. Our team at Gen Digital, parent company of Norton, Avast, Norton LifeLock, CCleaner, and Avira, will continue to monitor and provide updates on this and other cyber threats.
About the Author
This report was prepared by Dhebika.S, a Threat Analysis Engineer at our Threat Protection Labs. With over six years in the security industry, Dhebika specializes in researching emerging threats and developing efficient detection methods.