The threat actors behind DeathRansom have now taken their venture seriously. DeathRansom, the ransomware that everyone previously considered a joke, is now encrypting the files for real.
DeathRansom Becomes A Potent Ransomware
Researchers from Fortinet have analyzed the DeathRansom malware and revealed that it has now started encrypting for real this time.
‘DeathRansom’, despite having a dangerous name, the malware was long considered a joke owing to its improper functioning. The malware surfaced online in November 2019, and it only impersonated ransomware by adding extensions to the victim’s data files. Unlike conventional ransomware, DeathRansom failed to properly encrypt the victim’s data. So, it was still possible for the victim to retrieve the data (only if a victim could realize the failed encryption) by removing the added extensions.
However, the Fortinet has revealed that DeathRansom has now transformed into a serious ransomware since it has begun encrypting data. Elaborating the technical details in the first part of their report, they stated,
The new version of this ransomware uses a combination of Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm to encrypt files.
Now, as it infects a target system, it encrypts the data and places a ransom note, like any other ransomware. The ransom note includes a unique LOCK-ID for the victim that is also present in the “HKCU\Software\Wacatac\private” registry and encoded in base64.
Possible Connection With Other Malware Campaigns
Apart from the technical analysis, Fortinet also tracked down the threat actor behind DeathRansom.
In the second part of their report, Fortinet revealed that the DeathRansom operators are active for several years.
In short, they found that the DeathRansom operator previously infected users with password stealers, such as Vidar, Azorult, 1ms0rryStealer, and Evrial, and cryptominers such as SupremeMiner.
They also suspect a threat actor with alias scat01 to be behind the DeathRansom ransomware linking back to Russia.
Presently, DeathRansom is under active distribution via email phishing campaigns
Let us know your thoughts in the comments.