Home Cyber Security Step-by-step by the Cash Message ransomware – Sophos Information

Step-by-step by the Cash Message ransomware – Sophos Information

Step-by-step by the Cash Message ransomware – Sophos Information


In August 2023, the Sophos X-Ops Incident Response group was engaged to help a corporation in Australia contaminated with Cash Message ransomware.  This assault vector, identified for its stealth, doesn’t append any file extensions to the encrypted information, making it more durable for victims to determine the encrypted recordsdata just by recognizing such extensions.  

On this put up, we’ll take a look at the incident assault circulate, illustrating how menace actors are deploying the Cash Message ransomware and what measures can fight attacker efforts at varied factors alongside the MITRE ATT&CK chain. 

Make a remark of it 

As a part of its routine, the ransomware drops a ransom word named “money_message.log” instantly into the basis listing of the C: drive.  

The ransom word on the goal’s system learn as follows: 

Your recordsdata was encrypted by “Cash message” worthwhile group and may’t be accessed anymore. 

When you pay ransom, you’ll get a decryptor to decrypt them. Don’t attempt to decrypt recordsdata your self – in that case they are going to be broken and unrecoverable. 

For additional negotiations open this <redacted>.onion/<redacted> 

utilizing tor browser https://www.torproject.org/obtain/ 

In case you refuse to pay, we’ll put up the recordsdata we stole out of your inside community, in our weblog: 


Encrypted recordsdata can’t be decrypted with out our decryption software program. 


Assault Circulation Particulars 

Preliminary Entry 

Our investigation signifies that the attacker gained preliminary entry by way of the goal’s VPN, which was  utilizing single-factor authentication. That is an instance of MITRE’s T1078 – Legitimate Accounts method. 


Implementing multifactor authentication (MFA) for VPN connections is paramount to boost safety and thwart potential unauthorized entry. Moreover, steady monitoring of VPN logs and consumer exercise needs to be in place to promptly detect any suspicious login makes an attempt or anomalies. Upgrading to a extra sturdy and layered authentication method, resembling MFA, is crucial to bolster the primary line of protection towards potential menace actors searching for to use single-factor vulnerabilities and acquire unauthorized VPN entry. 

Protection Evasion 

The menace actor deployed GPO Coverage to disable Home windows Defender real-time safety. That is an instance of MITRE’s T1562.001: Impair Defenses: Disable or Modify Instruments sub-technique. 

[HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows Defender] DisableAntiSpyware: [REG_DWORD_LE] 1 
[HKEY_LOCAL_MACHINESoftwarePoliciesMicrosoftWindows DefenderReal-time Protection] DisableRealtimeMonitoring: [REG_DWORD_LE] 1 


The primary line of protection obtainable to organizations is to make use of a safety agent that has sturdy tamper safety. By way of monitoring for this exercise, these are detection-ready occasion sources. Whereas it’s doable a system administrator would disable these protections (no less than quickly) throughout troubleshooting, given the chance of this exercise, it’s one thing that needs to be investigated promptly if a corresponding help ticket isn’t discovered. 

Lateral Motion 

The menace actor leveraged psexec to run a batch script with the intention of enabling the RDP port, subsequently utilizing Distant Desktop Protocol (RDP) to traverse the community. That is an instance of MITRE’s T1021.001: Distant Companies: Distant Desktop Protocol sub-technique. RDP is a standard discovering in instances dealt with by Incident Response, as proven by our findings from IR instances dealt with throughout the first half of 2023. 

A pie chart showing percentages of RDP abuse seen in cases handled by Sophos X-Ops' IR team during the first half of 2023. Internal findings = 78%; internal and external = 17%; external-only = 1%. No RDP abuse was observed in 4% of cases.

Determine 1: RDP abuse detections in IR instances for the primary half of 2023 

The batch script contents are as follows:

reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 
Allow-NetFirewallRule -DisplayGroup 'Distant Desktop' 
netsh advfirewall firewall add rule identify="Open Distant Desktop" protocol=TCP dir=in localport=3389 motion=permit 


Securing RDP entry will be tough for a lot of corporations, however it’s a challenge worthy of funding. The primary merchandise to test off the field is to limit, by function, which accounts can entry different methods utilizing RDP. The overwhelming majority of customers don’t want this entry. Secondly, adopting a centralized leap server, which solely admins can entry with MFA and blocking on the community stage different system-to-system RDP is a powerful preventative management. Lastly, a detection needs to be in place to promptly evaluate anomalous RDP connections to deconflict them with accredited system administration exercise. 

Credential Entry 

The menace actor, utilizing Secretsdump.py (a part of the Impacket toolkit), retrieved the SAM registry hive. That is an instance of a technique of executing MITRE’s T1003.002: OS Credential Dumping: Safety Account Supervisor subtechnique. 

C:WINDOWSsystem32svchost.exe -k localService -p -s RemoteRegistry 


It’s essential for organizations to prioritize the safeguarding of delicate credentials. Implementing sturdy entry controls, using sturdy endpoint detection and response options, and monitoring for any suspicious exercise associated to SAM hive entry are important steps. Any unauthorized makes an attempt to entry or manipulate this vital system part needs to be promptly investigated, as they might point out a breach or malicious exercise that might compromise the safety of delicate credentials. 


A confirmed compromised account was used to entry delicate folders like Finance, Payroll, SalesReport and HR in FileServer. MITRE lists 37 sub- and sub-sub-techniques underneath TA0009: Assortment. 


Usually by the point a menace actor is staging information, it’s too late to have safety consequence. A great method to forestall theft of knowledge is to undertake least-privilege entry, which suggests guaranteeing solely the required folks have entry, adopted by granular controls on exporting, sharing, or shifting the recordsdata. DLP options, whereas having a historical past of being tough to implement and keep, are value evaluating for high-risk information. 


The menace actor leveraged MEGAsync to exfiltrate the info. That is an instance of MITRE’s T1567.002: Exfiltration Over Internet Service: Exfiltration to Cloud Storage. 

UserAssist entry: 87 Worth identify: C:Customers<redacted>AppDataLocalTemp6MEGAsyncSetup32.exe  

Rely: 1  

Person ”<redacted> registered Activity Scheduler job “MEGAMEGAsync Replace Activity S-1-5-21-<redacted>" 


Organizations ought to deal with enhancing information loss prevention measures and community monitoring. Implementing sturdy outbound visitors evaluation and content material inspection can assist determine and block suspicious information transfers. Moreover, intently monitoring MEGAsync actions and detecting any uncommon or unauthorized information transfers will be very important in mitigating information breaches. Quickly examine and reply to any indicators of unauthorized exfiltration to forestall potential information compromise and decrease the influence on information confidentiality. 


The menace actor leveraged two ransomware binaries, one for the Home windows surroundings and one for the Linux surroundings. The Home windows model is known as home windows.exe, and is detected as Troj/Ransom-GWD by Sophos. That is an instance of MITRE’s T1486: Knowledge Encrypted for Affect. 

  • The Cash Message encryptor is written in C++ and consists of an embedded JSON configuration file which comprises some key particulars like what folders to dam from encrypting, what extension to append, what providers and processes to terminate, and area login names and passwords probably used to encrypt different gadgets. 
  • The encryptor makes use of the ChaCha Quarter Spherical algorithm and ECDH encryption 
  • The ransomware creates the C:money_message.log ransom word when full 
  • On endpoints protected with Sophos, the next detection is triggered: 

Malware detected: ‘Troj/Ransom-GWD’ at ‘C:Customers<redacted>AppDataLocalTemp6windows.exe’ 

The Linux variant is known as ‘esxi’, Upon execution it would delete all of the digital exhausting disks. That is an instance of MITRE’s T1561: Disk Wipe. 

 Instructions executed on ESXi host: 

cd /tmp/ 
chmod 777 esxi 


As talked about earlier, at this late stage within the assault, having full protection on all methods with a correctly configured XDR resolution is important to guard organizations from ransomware. Within the case of Sophos, it’s vital for patrons to have their CryptoGuard coverage activated, which is one thing help can information clients on. 


The Cash Message attackers’ path to exfiltration conforms to a reasonably typical MITRE ATT&CK chain, as now we have proven above. Although this specific attacker tries to muddy the waters for defenders, good protection – particularly within the early levels – can present an efficient toolkit towards unhealthy outcomes. 



Please enter your comment!
Please enter your name here