On the threat landscape in recent years, alarming numbers of ransomware groups sprung up. This is just as mushrooms grow from the ground after a shower.
In recent months, an emerging ransomware group called 'Money Message' has appeared. This group targets victims worldwide and demands ransoms of up to a million dollars to safeguard confidential data. In addition to the Chinese airline with annual revenue of approximately $1 billion, there have been at least two other victims of the group's activities. A screenshot of the accessed file system is provided as proof that the group claims to have stolen data from the company. After that, five more successful ransomware attacks have been reported, the latest being on April 4.
Money Message has currently listed two victims on its leak site - an Asian airline with over $1 billion in assets and an unnamed vendor of computer hardware that deals in personal computers. Ransomware encryptors are also written in C++ and contain a JSON configuration file embedded into the code. This file is used to determine the encryption process on the victim's device.
In this configuration file, you can specify which folders will be blocked from encryption by this setting. As part of this document, you will also find information regarding what extensions should be added, what services and processes should be terminated, whether logging is enabled, as well as likely domain login names and passwords that would be used to encrypt other devices.
The victim can contact the threat actors via a link provided.
The victim will be able to reach a Tor negotiation site. Although Money Message uses an encryptor that is not as advanced as ChaCha20/ECDH encryption, its operation still encrypts devices and steals data even if the encryption method used is not very sophisticated. There is no append extension when encrypting files, however, you can change this according to the type of victim you are encrypting. As per Rivitna, a security researcher who has worked on encrypted files for more than a decade, the encryptor uses ChaCha20 and ECDH encryptions.
In the latest posting from Money Message, the company has also been playing up the dramatics. This gang has put up a reveal counter on their website, which reportedly counts down to the moment that they reveal the target and that the data they have will be published.
The ransomware then creates a ransom note titled ‘money_message.log’ that contains a link that is used as a means of negotiating with threat actors after encrypting the device. We will explore this further on.
In addition, if the ransom is not paid, any stolen information will be published on the company's data leak site. This will enable you to receive a ransom refund.
Upon publishing a document containing the information of travelers, Money Message published a report after three days.
Additionally, an insurance company in the United States, as well as a distributor of iron and glass products were affected. Money Message extorted a lot of money from its users over the years, and when that ransom was not paid, the exfiltrated data was published in the public domain.
As Money Message appears not to be a sophisticated malware threat, it is still a serious threat to businesses, as it targets them, steals data from them, and extorts them for money.
As a result, a growing number of ransomware groups are frequently emerging highlighting the fact that there are more and more threats against organizations each day. Take measures to ensure that your privacy is protected by implementing proper security measures.