Attention: We have transitioned to a new AAD or Microsoft Entra ID from the week of May 20, 2024. In case your tenant requires admin consent, please refer to this document located at Overview of user and admin consent - Microsoft Entra ID | Microsoft Learn and grant access to App ID: 6ba09155-cb24-475b-b24f-b4e28fc74365 with graph permissions for Directory.Read.All and User.Read for continued access. While the app may appear unverified, you can confirm its legitimacy by verifying the App ID provided.
This ransomware encrypts the data on your disk and can stop you from using your device or accessing your data. It encrypts files, renders them inaccessible, and demands payment for the decryption key.
For more information about ransomware, read this article:
Keep your operating system and antivirus products up to date. Customers who have turned on automatic updates do not need to take additional action
Go to aka.ms/ransomwaresolutions for general information and frequently asked questions about ransomware, defense against ransomware, and ransomware incident response playbook.
Guidance for enterprise administrators and Microsoft 365 Defender customers
Ransomware more than often attacks enterprises than individuals. Following the below mitigation steps can help prevent ransomware attacks:
Keep backups so you can recover data affected by ransomware and destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.
Turn on the following attack surface reduction rules to block or audit associated ransomware and human adversary activities. To assess the impact of these rules, deploy them in audit mode.
Block process creations originating from PsExec and WMI commands
Use advanced protection against ransomware
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Utilize the Microsoft Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
Turn on tamper protection features to prevent attackers from stopping security services.
Educate end users about protecting personal and business information in social media, filtering unsolicited communication, identifying lures in spear-phishing email and watering holes, and reporting of reconnaissance attempts and other suspicious activity.
Threat behavior
1. The Moneybird ransomware enumerates logical drives and identifies the files it needs to encrypt. It then uses Windows Restart Manager to close application(s) that are still accessing the target files. This is a common technique observed in intrusions involving multiple ransomware variants including Conti, Babuk, Lockbit, and Royal.
2. Once access to target files is secured, the Moneybird payload uses the Libgcrypt library for encryption. Once encryption is complete, the ransomware will drop a text file MONEYBIRDREADME.txt on the root volume of every logical drive. The ransom notes advise victims to avoid tampering with encrypted files and instructs the victim to visit a specific URL.
4. Microsoft has also observed AMERICIUM operators returning to their web shell to exfiltrate .txt files from a compromised environment.
The encrypted files have an extension .mb. The encrypted files use GUID, which maybe required to decrypt the files.
See sample images:
Prevention
There is no one-size-fits-all response if you have been targeted by ransomware. To recover files, you can restore backups. There is no guarantee that paying the ransom will give you access to your files.
Microsoft Defender Antivirus automatically removes threats as they are detected. If you have cloud-delivered protection, your device gets the latest defences against new and unknown threats. If you don't have this feature enabled, update your antimalware definitions and run a full scan to remove this threat.
Immediately isolate the affected device, and any additional device with Moneybird ransomware-related alerts. If Moneybird ransomware has been launched, it is likely that the device is under complete attacker control
Identify the accounts that have been used on the affected device and consider these accounts compromised. Reset passwords or decommission the accounts
Investigate how the affected endpoint might have been compromised. Check for the presence of other malware
Investigate the device timeline for indications of lateral movement activities using one of the compromised accounts
Initiate an incident response process, focusing on responding to possible data exfiltration and ransomware deployment, both of which attackers might have already performed. Contact your incident response team. If you don't have one, contact Microsoft support for investigation and remediation services
Microsoft Defender Antivirus detects this threat on your device, and automatically removes threats as they are detected. If this threat is detected in your environment, we recommend that you immediately contact your incident response team or contact Microsoft support for investigation and remediation services.
