Demystifying Money Message Ransomware

Demystifying Money Message Ransomware 

Money Message Ransomware Suspected to be Leveraging Stealer Logs

Cyble Research and Intelligence Labs (CRIL) came across a new ransomware group named Money Message. Money Message can encrypt network shares and targets both Windows and Linux operating systems. Upon analyzing Money Message binaries, we noticed a similarity: they contained admin credentials in the configuration, which were then used to target network resources. Based on this, we suspect the threat actors (TA)s might be leveraging stealer logs in their operation.  

The group utilizes a double extortion technique to target its victims, which involves exfiltrating the victim’s data before encrypting it. The group uploads the data on their leak site if the ransom is unpaid.  

Money Message was first observed in March 2023 and has already affected more than five publicly disclosed victims, with the majority of them being from the United States. The victims belong to different industries, including BFSI, Transportation and Logistics, and Professional Services. 

Figure 1 – Money Message Victim’s Distribution 

Among the victims of Money Message are also a few companies worth billions of dollars. The leak site of Money Message ransomware is displayed in the figure below.  

Figure 2 – Leak Site 

Technical Analysis

The Money Message ransomware binary (SHA256: dc563953f845fb88c6375b3e9311ebed49ce4bcd613f7044989304c8de384dac) is a 32-bit executable compiled in c/c++.  

The figure below shows the file details.  

Figure 3 – File Details 

Config Extraction

Upon execution, the ransomware retrieves its configuration settings from the overlay of the ransomware binary. The configuration details are appended to the end of the file at the offset 0XBF000. The configuration contains various parameters, including a ransom note encoded in Base64 format and other settings that determine the ransomware’s behavior during the execution. The following parameters are present in the configuration: 

  • info_text_message 
  • mutex_name 
  • extensions 
  • skip_directories 
  • network_public_key 
  • network_private_key 
  • processes_to_kill 
  • logging 
  • domain_login 
  • domain_password 
  • crypt_only_these_directories 
  • temporary_extension 

The below figure shows the configuration Details of the ransomware. 

Figure 4 – Configuration Details 


Afterward, the ransomware creates a mutex using the CreateMutexA() method, with the name “12345-12345-12235-12354”, which it retrieves from the configuration.  

The figure below illustrates the process of mutex creation by ransomware.  

Figure 5 – Creates Mutex 

Now it stops the services present in the configuration file. It first opens the Service Control Manager (SCM) by calling OpenSCManagerW() function. It then calls EnumServicesStatusExW() function to enumerate all the services and their status. If any of the services present in the configuration are found to be running, the ransomware stops them using CloseServiceHandle() function 

The ransomware binary stops the following services: 

vss memtas Veeam 
sql mepocs Backup 
svc$ Sophos Vmms 

The figure below shows the function responsible for killing services.  

Figure 6 – Kills Services 

Next, the ransomware captures a list of the actively running processes on the victim’s machine by utilizing the CreateToolhelp32Snapshot() function, and then iterates through each process using the Process32FirstW() and Process32NextW() functions. The ransomware then compares the name of each process with the process list specified in its configuration file. If a match is found, the ransomware terminates the process using the TerminateProcess() function. This ransomware terminates the following process. 

sql.exe sqbcoreservice.exe mydesktopservice.exe steam.exe 
oracle.exe excel.exe ocautoupds.exe thebat.exe 
ocssd.exe infopath.exe encsvc.exe thunderbird.exe 
dbsnmp.exe msaccess.exe firefox.exe visio.exe 
synctime.exe mspub.exe tbirdconfig.exe winword.exe 
agntsvc.exe onenote.exe mdesktopqos.exe wordpad.exe 
isqlplussvc.exe outlook.exe ocomm.exe vmms.exe 
xfssvccon.exe powerpnt.exe dbeng50.exe vmwp.exe 

The figure below shows the functions used to identify and terminate processes. 

Figure 7 – Terminates Process  

Now this ransomware uses ShellExecuteW() function to execute the “vssadmin.exe delete shadows /all /quiet” command, which deletes all Volume Shadow Copy Service (VSS) snapshots on the system without prompting for confirmation.  

The figure below shows the command used by ransomware to delete the shadow copies.  

Figure 8 – Deletes Shadow Copies 

Afterward, the ransomware scans all the available drive letters on the system, starting from A to Z. It uses the GetDriveTypeW() function to identify the type of drive connected to each letter, including fixed, removable, or network drives.  

The figure below shows the part of the ransomware code responsible for identifying the drives on the victim’s machines.  

Figure 9 – Identifies Drive 

Now it fetches the list of file extensions to exclude from the encryption process. The configuration in this ransomware binary has no values for the extension parameter, indicating that the ransomware will encrypt all the files.  

It also fetches the following list of directories from the configuration, which will be excluded from the encryption process.  

C:\\msocache C:\\program files (x86) 
C:\\$windows.~ws C:\\program files 
C:\\system volume information C:\\$windows.~bt 
C:\\perflogs C:\\windows 
C:\\programdata C:\\windows.old 

The Money message ransomware initiates its encryption process now. It uses the Elliptic Curve Diffie-Hellman (ECDH) key exchange and ChaCha stream cipher algorithm to encrypt data on a victim’s system and demand a ransom for its release.  

The figure below shows the cryptographic algorithms present in the binary.  

Figure 10 – Encryption Algorithm 

Like other ransomware groups, this ransomware does not rename the file after encryption. The figure below shows the encrypted file.  

Figure 11 – Encrypted File 

This ransomware fetches the base64 encoded ransom note from the configuration and then decodes it. It creates a file named money_message.log for writing the ransom note. This note contains the instructions given by the TA.  

Figure 12 – Ransom Note 

Lateral Movement 

The Money Message ransomware tries to access administrative network shares by calling WNetAddConnection2W() with admin authentication credentials present in the configuration. Once it has gained access to the network using these credentials, the ransomware begins encrypting files in the network shares.  

The figure below shows the process used by ransomware to encrypt the network shares.  

Figure 13 – Lateral Movement 


Money Message is a newly discovered ransomware strain that has victims worldwide. In a specific instance, the group demanded a ransom of USD 500,000, which may vary depending on the targeted organization’s revenue. Additionally, Money Message is capable of encrypting network shares, and its approach to target network shares resembles that of the Maze and Petya ransomware. The fact that the group has already targeted several high-profile organizations, including billion-dollar companies, further highlights the impact of this ransomware. As such, organizations must remain vigilant and take necessary precautions to prevent falling victim to such attacks. 

Our Recommendations


We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

Safety Measures Needed to Prevent Ransomware Attacks

  • Conduct regular backup practices and keep those backups offline or in a separate network.  
  • Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.  
  • Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile.  
  • Refrain from opening untrusted links and email attachments without verifying their authenticity.  

Users Should Take the Following Steps After the Ransomware Attack

  • Detach infected devices on the same network.  
  • Disconnect external storage devices if connected.  
  • Inspect system logs for suspicious events.  

Impact And Cruciality of Ransomware

  • Loss of valuable data.  
  • Loss of the organization’s reputation and integrity.  
  • Loss of the organization’s sensitive business information.  
  • Disruption in organization operation.  
  • Monetary loss.  


MITRE ATT&CK® Techniques  

Tactic  Technique ID  Technique Name  
Execution  T1204    User Execution  
Defense Evasion  T1140  
Deobfuscate/Decode Files or Information  
Impair Defences  
Discovery  T1007 
System Service Discovery 
File and Directory Discovery  
Network Share Discovery 
Lateral Movement T1021 Remote Services 
Impact  T1486  
Data Encrypted for Impact  
Inhibit System Recovery 


Indicators of Compromise (IOCs)

Indicators  Indicator Type  Description  
Money Message Windows Executable 
Money Message Linux Executable  
Money Message Windows Executable 

Yara Rules

rule Win32_Rasomoney_message 


        description    = “this rule detects money message windows executable” 


$a= “TW9uZXkgbWVzc2FnZQ” 

$b= “network_public_key” 

$c= “network_private_key” 

$e= “YmxvZ3ZsN3RqeWp2c2Z0aG9idHR6ZTUydzM2d3dpejM0aHJmY21vcmd2ZHpiNmhpa3VjYjdhcWQub25pb24” 


uint16(0) == 0x5A4D and 

($a and $e and $b and $c) 

Comments are closed.

Scroll to Top