Pay up or lose everything, not what you want to hear.

Apr 05 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s bursting at the seams like Brendan Frasier #TheWhale

Today’s hottest cyber security stories:

  • Give me all your Money Message: There’s a new ransomware in town
  • Rarschach Ransomware: “Never compromise. Not even in the face of Cybergeddon”
  • Crypto-jack hack! Rilide malware LARPs as Google Drive extension


Bad news, folks: today’s is a very ransomware-heavy edition of Gone Phishing. Up first we have Money Message, which has been wreaking havoc over the last week or so, demanding money (clue’s in the name!) in exchange for sparing its victims files. So, basically a case of ‘pay up or lose everything’. Lovely.

For those who don’t know, ransomware attacks are when hackers (or threat actors) hack into a system and either lock users out or threaten to release sensitive information if the victim doesn’t pay the ransom.

The ransom tends to be demanded in cryptocurrency, often Monero coin or, more recently, Dero coin. Oh Dero, oh dear.

Okay, let’s get into the specifics of this latest ransomware attack which appears to be targeting large corporations. I mean, if you’re going to dedicate yourself to a life of cybercrime, why not go hog wild? “He who dares, wins”, in the enduring words of Del Boy.

The new group called Money Message was observed demanding million-dollar ransoms in exchange for a ‘decryptor’.

The devil’s in the details:

  • As of now, Money Message has listed two victims on its leak site – an Asian airline with a revenue of over $1 billion and an unnamed computer hardware vendor.
  • The ransomware encryptor is written in C++ and contains an embedded JSON configuration file to determine the encryption process of a device.
  • The ransom note includes a link to a Tor (Tor article here) negotiation site for the victim to contact the threat actors.
  • While the encryptor—ChaCha20/ECDH encryption—used by Money Message is not very advanced, the operation is still encrypting devices and stealing their data.

Although Money Message may not seem like a sophisticated form of malware, it is still a significant threat to companies, as it steals data and uses it to ruthlessly extort them.

Additionally, the frequent appearance of new ransomware groups underscores the increasing number of threats facing organizations.

Check yo’ self before you wreck yo’self, fool!

As a result, it is crucial to implement appropriate defences and prioritize your safety.

Another scary prospect for companies who are targeted by ransomware attack is that, if their insurance company can prove that the attack was ‘state-backed’, they may not even be covered.

Whether the victims choose to pay or not, these attacks often end up costing millions ????????????


To our fellow nerds out there who are familiar with the graphic novel turned movie The Watchmen, you’ll know that the real Rorschach would be the one apprehending the scumbag ransomware scammers and dishing out some downright gratuitous violence in the process.

Alas, his good name has been tarnished by a new ransomware that’s his namesake. This one appeared on the scene yesterday and has already set itself apart from the ransomware riffraff.

Indeed, Check Point Research said in a new report: “What makes Rorschach stand out from other ransomware strains is its high level of customization and its technically unique features that have not been seen before in ransomware.

“In fact, Rorschach is one of the fastest ransomware strains ever observed, in terms of the speed of its encryption.” Hats off! Wait, no. You suck, Rorschach! Not you, Rorschach – other Rorschach.

Sneaky, sneaky, Sir

“The Rorschach ransomware employs a highly effective and fast hybrid-cryptography scheme, which blends the curve25519 and eSTREAM cipher hc-128 algorithms for encryption purposes,” researchers Jiri Vinopal, Dennis Yarizadeh, and Gil Gekker explained.

This process is designed to only encrypt a specific portion of the original file content instead of the entire file and employs additional compiler optimization method that make it a “speed demon.”

Speed demon, huh? Think I’d rather a Bugatti Veyron. #FreeAndrewTate lol 


Oh, why do I scam this way? Hey, must be the money! Remember Ride Wit Me? Nelly? Anyone? Bueller? Geez, getting old.

So, hallelujah this one actually isn’t a ransomware. But it still sucks… Here’s an expert to tell you a little more:

“Rilide malware is disguised as a legitimate Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges,” Trustwave SpiderLabs Research said in a report.

If that wasn’t bad enough, the stealer malware can display forged dialogs to deceive users into entering a two-factor authentication code to withdraw digital assets. Scary stuff.

“The Rilide stealer is a prime example of the increasing sophistication of malicious browser extensions and the dangers they pose,” Trustwave concluded.

Sorry, folks. Hopefully we’ll have some good news you for tomorrow. One can only dream…

So long and thanks for reading all the phish!

Recent articles