Money Ransomware uses a double extortion model, encrypting data and exfiltrating sensitive information to threaten public release if the ransom isn’t paid. The article analyzes the Money Ransomware sample, detailing its configuration, infection flow, and network propagation techniques, including compromised credentials and access to remote shares. #MoneyRansomware #BangladeshNationalAirport
Keypoints
- Money Ransomware employs a double extortion model: encrypts data and exfiltrates information to pressure victims.
- The sample appears in early development stages, showing it can run with zero or one parameter; multiple parameters are unsupported.
- The malware firstMutexes the host, then removes shadow copies (via vssadmin) to hinder recovery.
- It kills a broad list of processes and stops certain services (including anti‑malware like Sophos) to facilitate encryption.
- Encryption uses a combination of ECDH and ChaCha20, with a technique to locate the file footer to avoid double‑encryption.
- Propagation includes network movement by enumerating connected devices and using WNetAddConnection2W with compromised credentials to access remote shares.
- The configuration file provides extensive parameters (directories to encrypt/skip, domains/passwords, processes/services to kill), signaling victim‑specific customization.
MITRE Techniques
- [T1021.002] SMB/Windows Admin Shares – Lateral movement via Windows network shares using compromised credentials; “WNetAddConnection2W is a Windows API function that allows a program to connect to network resources, such as shared drives or printers, by establishing a network connection.”
- [T1041] Exfiltration – Data exfiltration prior to encryption to threaten disclosure; “exfiltrate sensitive information from the victim’s system prior to encryption. The malicious actor subsequently issues a warning to publicize the purloined data unless the ransom is paid.”
- [T1490] Inhibit System Recovery – Removal of shadow copies to impede recovery; “Money Ransomware removes the shadow copies by executing vssadmin, but before doing that, it disables the redirection to WOW64 directory.”
- [T1562.001] Disable or Modify Tools – Targeting defenses by stopping security tools (e.g., Sophos) to facilitate encryption; “not only are system utilities targeted, but also anti-malware software, such as Sophos.”
- [T1486] Data Encrypted for Impact – Encryption phase using strong crypto; “the ransomware employs a combination of the Elliptic Curve Diffie-Hellman (ECDH) and ChaCha20 algorithms. By doing so, the malware effectively harnesses the robust asymmetric encryption capabilities provided by ECDH, along with the high performance of ChaCha20, to swiftly encrypt all files within the victim’s machine.”
- [T1018] Remote System Discovery – Network propagation by enumerating connected devices; “The first one is to iterate and inside all the connected devices of the machine.”
Indicators of Compromise
- [Hash] Hash – bbdac308d2b15a4724de7919bf8e9ffa713dea60ae3a482417c44c60012a654b
Read more: https://yoroi.company/research/money-ransomware-the-latest-double-extortion-group/