New Ransomware Group Money Message Discovered


Share post

Back in April of this year, a new ransomware group called “Money Message” became active. While the cybercriminals have previously flown under the radar, Sophos X-Ops was now able to take a closer look at the cybercriminals' activities while investigating an attack on an Australian organization.

The group provides a prime example of what has become a very widespread attack variant: sneaking through hijacked company networks in a variety of ways in order to avoid detection and elimination. For example, in 78 percent of the cases analyzed by the Sophos Incident Response Team in the first half of 2023, internal RDP services were misused by cybercriminals for their own purposes.

Vulnerable VPN connections attacked

In this particular case, Money Message used a vulnerable VPN connection to gain access to the network. They then moved laterally on the network using the Remote Desktop Protocol (RDP) used by the company. The attackers were also able to disable Windows Defender and gain access to various organizational credentials before they began to harvest sensitive data.

The freely available English investigation report “Step by step through the money message ransomware” provides all details about the attack and tips for preventing such cover-up attacks.

More at


About Sophos

More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.


Matching articles on the topic

Researchers find 26 billion access data on the web

A package with 26 billion data records containing access data appeared online. It is said to contain user access data at many companies ➡ Read more

Data offering: Every third company appears on the dark web

In the last two years, one in three companies worldwide have offered compromised data for sale on the dark web. A big ➡ Read more

Fast food chain Subway probably victim of Lockbit

Many sources indicate that the Subway company was the victim of a cyberattack by LockBit. The operator Subway is there ➡ Read more

Russian APT group attacked Microsoft 

According to its own information, Microsoft was attacked by Midnight Blizzard on January 12, 2024. The Russian-sponsored actors had ➡ Read more

Many German chambers of crafts remain offline

The IT service provider ODAV was the victim of a cyber attack at the beginning of January. Because the service provider provides many services for the German Chamber of Crafts ➡ Read more

Security awareness against phishing attacks

The increasing spread of deepfake and AI technologies poses a serious threat, particularly in the area of ​​phishing attacks. These technologies enable ➡ Read more

Cat and mouse game in IT security

Looking back at 2023, we can see that the topic of AI has had a significant impact on IT security. That will too ➡ Read more

Politically motivated attacks by hackers

The nature of cyberattacks is changing. In the past it was mostly about blackmail, today it's also about destruction. That political tensions are increasing ➡ Read more