DeathRansom No Longer a Joke, Since it Now Encrypts Victim Files

  •  
  •  
  •  
  • 2
  •  
  •  
  •  
    2
    Shares

The threat actors behind DeathRansom have now taken their venture seriously. DeathRansom, the ransomware that everyone previously considered a joke, is now encrypting the files for real.

DeathRansom Becomes A Potent Ransomware

Researchers from Fortinet have analyzed the DeathRansom malware and revealed that it has now started encrypting for real this time.

‘DeathRansom’, despite having a dangerous name, the malware was long considered a joke owing to its improper functioning. The malware surfaced online in November 2019, and it only impersonated ransomware by adding extensions to the victim’s data files. Unlike conventional ransomware, DeathRansom failed to properly encrypt the victim’s data. So, it was still possible for the victim to retrieve the data (only if a victim could realize the failed encryption) by removing the added extensions.

However, the Fortinet has revealed that DeathRansom has now transformed into a serious ransomware since it has begun encrypting data. Elaborating the technical details in the first part of their report, they stated,

The new version of this ransomware uses a combination of Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm to encrypt files.

Now, as it infects a target system, it encrypts the data and places a ransom note, like any other ransomware. The ransom note includes a unique LOCK-ID for the victim that is also present in the “HKCU\Software\Wacatac\private” registry and encoded in base64.

Possible Connection With Other Malware Campaigns

Apart from the technical analysis, Fortinet also tracked down the threat actor behind DeathRansom.

In the second part of their report, Fortinet revealed that the DeathRansom operators are active for several years.

In short, they found that the DeathRansom operator previously infected users with password stealers, such as Vidar, Azorult, 1ms0rryStealer, and Evrial, and cryptominers such as SupremeMiner.

They also suspect a threat actor with alias scat01 to be behind the DeathRansom ransomware linking back to Russia.

Presently, DeathRansom is under active distribution via email phishing campaigns

Let us know your thoughts in the comments.

The following two tabs change content below.

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!