A brand-new ransomware gang has surfaced on the cyber threat landscape. Dubbed ‘Money Message’, the insidious outfit is now targeting victims around the world and demanding million-dollar ransom payments in exchange for decryption keys.

The new ransomware operation was initially reported by one of its victims on the forums of IT help site BleepingComputer, run by owner and editor Lawrence Abrams, towards the end of March. However, the gang’s activities were detailed soon after on social media when Zscaler’s ThreatLabz shared information via Twitter.

Status and Strategy of Money Message

Presently, the Money Message ransomware gang is listing two victims on its dedicated extortion site, with one of them being a notable Asian airline enjoying annual revenues of almost $1 billion. The threat operators claim that they have stolen files from the enterprise and, as proof of their activities, have included a screenshot of the file system that they managed to access. Evidence has also surfaced of a Money Message breach attempt on a well-established computer hardware vendor.

The Money Message gang’s encryptor has been written in C++ and features an embedded JSON file which determines how a computer will be encrypted. The JSON configuration file lists what folders should be exempt from encryption, what extensions to append, and what processes and services to terminate.

In a sample analysed by BleepingComputer, the site found that the ransomware does not encrypt files for certain folders, including C:\boot] and C:\program files. Once launched, it is designed to delete Shadow Volume Copies employing a specific command before the ransomware begins terminating critical processes and shutting down required Windows services like backup and SQL, among others.

When it is encrypting files, Money Message ransomware does not appear to append any extensions. However, this could potentially change to match an individual victim. A security researcher at Rivitna uncovered that the encryptor employs ChaCha20/ECDH-style encryption when it is locking users out of their data files.

By default, certain files are excluded from the encryption process. These include desktop.ini, thumbs.db, ntuser.dat, ntuser.ini, iconcache.db, ntldr, ntuser.ini, bootfont.bin, bootsect.bak, autorun.inf, ntuser.dat.log and boot.ini.

Encryption key analysis

During tests of the data files encrypted by Money Message, researchers discovered that the encryption process was relatively slow in comparison to solutions deployed by other ransomware gangs.

After a device has been successfully encrypted, the Money Message ransomware creates a dedicated ransom note entitled “money_message.log”. The note contains the link to a TOR negotiation site employed to negotiate with gangs.

The ransomware also warns victims that it will publish any data stolen on its data leak site in the event that a ransom is left unpaid.

The recent emergence of the new Money Message ransomware outfit introduces an extra threat that organisations and enterprises must be on alert for. While the encryption deployed by the gang does not seem sophisticated, the operation is still using it to steal data successfully and encrypt devices in attacks. Cybersecurity experts continue to analyse the new threat-seeking weaknesses in the encryption in use.