A new ransomware gang named ‘Money Message’ has emerged, targeting victims worldwide and demanding million-dollar ransoms not to leak data and release a decryptor.
Money Message lists two victims on its extortion site, including an Asian airline with annual revenue of almost $1 billion, and claims to have stolen files from the company, including a screenshot of the accessed file system as proof of the breach.
The ransomware uses ChaCha20/ECDH encryption when encrypting files, and it will not append any extension, although this can change depending on the victim.
The ransomware also deletes Shadow Volume Copies when launched. During tests, the encryption process was slow compared to other encryptors.
After encrypting the device, the ransomware creates a ransom note named money_message.log that contains a link to a TOR negotiation site used to negotiate with the threat actors.
The ransomware warns that it will publish any stolen data on its data leak site if a ransom is not paid.
Although the encryptor used by the group does not appear sophisticated, it has been confirmed that the operation is successfully stealing data and encrypting devices during their attacks. The emergence of the Money Message ransomware group poses an additional threat that organizations need to watch out for, and experts will analyze the ransomware for any weaknesses in the encryption.
Overall, the emergence of the Money Message ransomware highlights the need for organizations to take cybersecurity seriously and implement appropriate measures to protect their systems and data. Vigilance and awareness are crucial, and employees should receive regular training to help them identify and avoid potential threats.
Additionally, having a robust backup and recovery plan can help organizations to quickly recover their data and systems in the event of a ransomware attack.
