On 12 Aug 2021, Heimdal security experts published a blog “DeepBlueMagic Ransomware Strain Discovered by Heimdal™ — New Ransomware, New Method”.
On 21 Apr 2020, LIFARS security researchers published a blog “APT41 — A spy who steals or a thief who spies”
Likely, both the blogs talk about same ransomware variant. However, Heimdal didn’t provide any IoCs. So, there is no way to analyse malware and prove my hypothesis.
Notable common behaviour:
1. Usage of legitimate third-party disk encryption tool — JetIco BestCrypt
2. System drive(C:/) is not encrypted
3. Similar Ransom notes
Ransom note provided by Heimdal security:
Ransom note provided by LIFARS:
Reference:
https://lifars.com/wp-content/uploads/2020/04/APT41-the-spy-who-encrypted-me-case-study.pdf
https://heimdalsecurity.com/blog/deepbluemagic-new-ransomware-discovered/