Cyble – Demystifying Money Message Ransomware 

MITRE Techniques

• [T1007] System Service Discovery – The ransomware enumerates system services and their status, then stops those listed in the configuration. “EnumServicesStatusExW() function to enumerate all the services and their status. If any of the services present in the configuration are found to be running, the ransomware stops them using CloseServiceHandle.”
• [T1083] File and Directory Discovery – It scans drives to determine what to encrypt, including driving letter enumeration and type identification. “Now it scans all the available drive letters on the system, starting from A to Z. It uses the GetDriveTypeW() function to identify the type of drive connected to each letter.”
• [T1135] Network Share Discovery – It targets network shares as part of its lateral movement/lateral access approach. “The Money Message ransomware tries to access administrative network shares by calling WNetAddConnection2W() with admin authentication credentials present in the configuration.”
• [T1021] Remote Services – Uses network-maintained credentials to access and encrypt resources over the network. “Once it has gained access to the network using these credentials, the ransomware begins encrypting files in the network shares.”
• [T1057] Process Discovery – Captures and iterates over actively running processes to determine targets to terminate. “The ransomware captures a list of the actively running processes on the victim’s machine by utilizing the CreateToolhelp32Snapshot() function, and then iterates through each process using the Process32FirstW() and Process32NextW() functions.”
• [T1105] Inhibit System Recovery / [T1490] Inhibit System Recovery – Deletes shadow copies to hinder recovery. “uses ShellExecuteW() function to execute the “vssadmin.exe delete shadows /all /quiet” command, which deletes all Volume Shadow Copy Service (VSS) snapshots on the system without prompting for confirmation.”
• [T1140] Deobfuscate/Decode Files or Information – Handles encoded ransom note and decoding steps. “The ransomware fetches the base64 encoded ransom note from the configuration and then decodes it.”
• [T1562] Impair Defences – Stops security-related services to weaken defenses. “The ransomware stops the following services: vss, memtas, Veeam, sql, …”
• [T1486] Data Encrypted for Impact – Encrypts data using strong crypto (ECDH for key exchange and ChaCha cipher). “It uses the Elliptic Curve Diffie-Hellman (ECDH) key exchange and ChaCha stream cipher algorithm to encrypt data.”
• [T1021.002] SMB/Windows Admin Shares – Lateral movement into network shares via Windows admin shares using credentials from config. “Money Message ransomware tries to access administrative network shares by calling WNetAddConnection2W with admin authentication credentials present in the configuration.”