DeepBlueMagic Ransomware Executes Attacks through a 3rd-party Encryption Tool

DeepBlueMagic seems to be a new ransomware gang, which is currently compromising systems running Windows Server 2012 R2. The exact infection vector that the criminals rely on is not clear and, unfortunately, analyzing their payload has proven to be difficult as well. The reason for this is that the DeepBlueMagic Ransomware uses a 3rd-party utility to encrypt the victim's data, and it deletes the original payload as soon as the attack commences.

The modus operandi of the DeepBlueMagic Ransomware is very interesting, and very few file-lockers operate in a similar manner. Instead of encrypting individual files, this ransomware encrypts entire partitions and drives – it only skips the C:\ system drive. This measure is not uncommon since the criminals want the victim to be able to boot up their systems.

Of course, the authors of the DeepBlueMagic Ransomware are after a ransom fee – their demands are described in the ransom message 'Hello Word.' The note they leave seems to be tailored individually for each victim, so it is likely that the criminals might be executing the ransomware manually. Another fact supporting this argument is that the infected systems were thoroughly cleaned off of any traces.

How Does the DeepBlueMagic Ransomware Attack?

When this ransomware runs, it uses a 3rd-party file-encryption utility called BestCrypt Volume Encryption. This is a legitimate tool, but criminals are using it with malicious intent. This utility can encrypt entire partitions/drives, and the actors are making use of this exact feature. However, the DeepBlueMagic Ransomware performs some extra tasks as well:

• It stops any 3rd-party apps and Windows services in order to make sure that all data will be encrypted securely, with minimal issues.
• The ransomware tries to stop antivirus products and tools.
• It wipes out Shadow Volume Copies and disables the System Restore Service.

A peculiar quirk of the DeepBlueMagic Ransomware is that the utility it uses to encrypt files usually provides a recovery option – the file 'rescue.rsc.' Originally, this file helps users recover their drives in case of accidental encryption. Unfortunately, the DeepBlueMagic Ransomware makes sure that this file is not available, therefore eliminating the victim's only data recovery option.

Victims of the DeepBlueMagic Gang Might be Able to Recover

Unsurprisingly, the authors of the DeepBlueMagic Ransomware are after the money of the victim. Their ransom note demands a ransom payment through cryptocurrency. We assure you that paying is a terrible idea – the criminals might scam you with ease. The best way to proceed would be to recover the lost files from a backup. However, an alternative may be available.

Cybersecurity experts who experimented with DeepBlueMagic Ransomware report that its encryption was not complete. Instead of encrypting the entirety of the drive, the utility only tampered with volume headers and then ceased the process. Unfortunately, this is still enough to cause plenty of damage. However, by running similar drive-encrypting software and stopping the encryption task as soon as it initializes, it is possible to reproduce the same result as the DeepBlueMagic Ransomware. By doing so, it might be possible to reverse-engineer the process and fix the encrypted drives. It is recommended to seek professional assistance for this recovery option.