DeepBlueMagic: New ransomware causes failures in municipalities

McAfee gibt Tipps um sich vor Ransomware zu schützen


The massive cyber attack that took place in Schwerin in mid-October clearly shows the severity of the current threat situation in Germany. The municipal IT structures in Schwerin and also in the district of Ludwigslust-Parchim were victims of the malware “Deepbluemagic” in this incident. However, this is not an isolated case, because threat actors have already used this malware in other similar incidents in Germany, as a spokesman for the Rostock Public Prosecutor’s office responsible for the investigation said.

According to reports of the dpa, the victims of the attacks initially received e-mails in which they were informed that their data had been encrypted. To get them back, you would have to contact the attackers by e-mail. However, those affected did not comply with the demands, said the spokesman for the public prosecutor’s office.

During the cyber attack, servers of the Schwerin IT and Service company and the Mecklenburg municipal service had been partially encrypted by the malware. All systems were then shut down for safety, which paralyzed the majority of citizen services in the state capital and the adjacent district of Ludwigslust-Parchim. The operation is still impaired.

The origin of the ransomware could be China

Matan Rudis, Head of Threat Intelligence at SentinelOne

“Deepbluemagic apparently comes from China. Like several strains of ransomware in the past, it encrypts files using popular encryption tools such as Bitlocker and BestCrypt, which users often trust and which they themselves use for encryption. For this reason, it is difficult to recognize it by the static signature“ ” says Matan Rudis, Head of Threat Intelligence at SentinelOne , on the background of the devastating attack on the municipal IT structures.

“The specific way this ransomware works – encrypting multiple drives in a short amount of time and running this encryption software with unusual registry keys – still offers opportunities for intelligent behavior detection. However, not much is known about the attack mechanisms and the way the virus spreads in the network. The attackers seem to have the opportunity to recover the files for a fee, but it is not certain whether this malware variant also steals data from the network before encryption.“

Ready to see us in action:

More To Explore
Enable registration in settings - general
Have any project in mind?

Contact us: