Last month, researchers discovered a malicious [.]NET-based entity called Moisha ransomware, which can execute highly targeted attacks. Based on reports, the threat actors are dubbed as the PT MOISHA team that utilises a double extortion tactic to steal and encrypt targeted data.
According to the threat analysis, the ransomware initially develops a global mutex to ensure that only a single malware is operating on the targeted system during the encryption process. If a mutex is already present in the target, the malware will halt its operation on the device.
Subsequently, the malware will review the victim’s system for a list of services, such as malware scanners and backup services. If the malware finds one, it will terminate it to ensure that it will not prevent the malware from accessing files.
The ransomware will then review the presence of a list of processes and remove them if running on the targeted device. Moisha will also disable the MS Defender Antivirus’ real-time protection and terminates shadow copies with Vssadmin and PowerShell.
Moreover, the malware retrieves the available system, enumerates the files and folders within the identified drive, and starts a new sequence for the file encryption phase. However, the ransomware will first drop the ransomware noted developed by decoding the hardcoded Base64 in the folder before starting the encryption process.
Moisha ransomware adopts multiple encryption algorithms.
The researchers explained that Moisha ransomware employs the AES and RSA encryption algorithms and a hardcoded Base64 encoded RSA public key. The ransomware then checks the files size of the targeted file if it is less than 2 gigabytes. If the file is less than the quota, the ransomware will adopt the encryptor function to make the encryption process quicker.
Moisha will remove some file names, director names, and extensions in the encryption method. Once completed, the malware removes itself through the PowerShell command line.
Ransomware operators commonly reveal or sell stolen data online, resulting in severe reputational damage to the compromised organisation. Therefore, these targeted entities should stay one step ahead of the technique used by the threat actors to mitigate the damage of ransomware attacks.