Identify Ransomware: .BAGAJAI Ext (MedusaLocker3/Far Attack)
▼ Summary
– A webserver has been infected with unidentified ransomware that encrypted files with .BAGAJAI extensions and left ransom notes in every directory.
– The ransomware remains unidentified despite submissions to the Stop Ransomware Project and ID Ransomware sites, complicating recovery efforts.
– Multiple malware detections were found, including chisel.exe in the Windows Temp folder and Mimikatz-related files in a disabled user profile.
– The attacker provided contact methods through a TOR page and email addresses (recovery1@amniyat.xyz and recovery1@salamati.vip) for ransom negotiations.
– All server backups were also encrypted during the attack, eliminating the option for data restoration from backups.
Running a web server on a tight budget presents unique challenges, especially when facing a sophisticated cyberattack. The .BAGAJAI file extension ransomware has recently emerged, leaving victims with encrypted files and a ransom note titled “readtodecrypt_files” in every directory. This malicious software not only locks primary data but often targets backup files as well, creating a critical situation for small businesses and individual operators.
In one reported case, a web server administrator discovered their files were inaccessible, each bearing the .BAGAJAI extension. The accompanying HTML document provided a unique personal identifier and instructions to contact the attackers via specific TOR pages or email addresses like recovery1@amniyat.xyz and recovery1@salamati.vip. Despite submitting samples to the Stop Ransomware Project and ID Ransomware platform, the strain remained unidentified, complicating recovery efforts.
Security scans revealed several malicious components, including a file named chisel.exe in the Windows Temp directory, flagged as “Gen:Variant.Bulz.236620.” Further investigation uncovered an extensive cache of malware within a long-disabled user profile, housing executables like BAGAJAI.exe and various Mimikatz-related files, tools commonly used for credential dumping and privilege escalation.
The discovered files included a Trojan detected as “Gen:Variant.Mikey.181019” linked to BAGAJAI.exe
These elements suggest a multi-stage attack, potentially leveraging stolen credentials to propagate across the system. The presence of Mimikatz indicates the attackers aimed to harvest login details, possibly to maintain persistence or move laterally through the network.
For those encountering similar issues, immediate steps should include disconnecting affected systems from the network to prevent further encryption. Consulting with a cybersecurity professional is strongly advised, as unidentified ransomware variants like this often require specialized decryption tools or forensic analysis. Regularly updating and isolating backups remains one of the most effective defenses against such evolving threats.
(Source: Bleeping Computer)
