Moisha is a .NET ransomware that was initially spotted in mid-August. Cyble Research Labs’ findings showed that the ransom note contained the name of an organization, indicating that the malware may have been developed as part of a highly targeted attack.
How does Moisha Ransomware work?
Moisha uses double-extortion techniques to force victims into paying the ransom. This technique enables it to exfiltrate and encrypt victim data.
Upon execution, the ransomware initially creates a global mutex to ensure that only one instance of the malware is present on the victim’s system at any given time. The malware terminates its execution if it detects another mutex already on the machine.
Next, the malware searches for other services that are often found in the system – such as backup services, malware-scanner services, etc. If any malware is detected in the system, the program will stop any services that would block access to the files. This step ensures that these services do not interfere with later encryptions.
After stopping the active processes, the ransomware checks for a list of processes and kills them if they run on the victim’s machine. The Moisha ransomware also disables the Microsoft Defender Antivirus’ real-time protection and deletes shadow copies using PowerShell and Vssadmin.
Next, the malware gets the available system and later enumerates the files and folders inside the identified system drive and starts a new thread for the file encryption process,
Before the encryption process begins, the ransomware drops a ransom note in the same folder with the file name, “!!!READ TO RECOVER YOUR DATA!!!.txt.” The malware generates the message by decoding hard-coded Base64 content.
Moisha Ransomware Encryption:
Moisha ransomware is a type of file-encrypting malware which uses the RSA and AES encryption algorithms. It also comes with a fixed hardcoded Base64 encoded RSA public key. The malware also checks whether the file size is less than 2 GB using the “OnItemArrived()” function. Based on the file size, it calls the encryptor function to perform file encryption faster.
The ransomware excludes some directory names, file names, and extensions during its encryption process. Once the victim’s system is infected, the malware spreads to other machines in that network. Finally, the ransomware deletes itself by using the PowerShell command line:
Moisha Ransomware Ransom Note:
In the ransom note, Moisha demands that victims contact the TAs to restore their encrypted files. The ransomware has compromised about 200 gigabytes of work-related files and source codes. The ransom note includes a bitcoin address, a Protonmail account, and a Moisha ID.