DeathRansom Ransomware Fixes Issues, Now Encrypting Victims' Data | Tripwire

DeathRansom Ransomware Fixes Issues, Now Encrypting Victims' Data

Posted on November 27, 2019
New Microsoft Spear-Phishing Attack Uses Exact Domain Spoofing Tactic
After its developers fixed several issues, DeathRansom ransomware is now actively infecting users and encrypting victims' data. DeathRansom wasn't actually crypto-ransomware when attackers first began distributing it. At that time, the threat pretended to encrypt users' information and appended the .wctc extension onto victims' files. Researchers found that they could recover victims' affected data simply by removing the extension added by this initial variant. But things changed around November 20, 2019. According to Bleeping Computer, DeathRansom began encrypting users' files in earnest. It also stopped appending an extension onto victims' files at around that time. This means that victims of its newest variants must look for "ABEFCDAB" file marker to determine which files are affected. The number of victims has slowed since these changes took effect. But a steady stream of new victims suggests that an active distribution campaign is underway. Once it's infected a machine, the ransomware attempts to remove shadow volume copies before initiating its encryption routine. It then drops a ransom note into every folder where it's encrypted a file. This message, in turn, provides victims with a unique infection ID and informs them to contact an email address in order to receive payment instructions.
Screen-Shot-2019-11-27-at-07.11.51.png
DeathRansom's ransom note. (Source: Bleeping Computer) Interestingly, Bleeping Computer found a connection between DeathRansom and STOP, ransomware whose variants installed the Azorult infostealer onto victim’s machines as part of their infection process back in March. As the computer self-help site explains in its research:
This is seen in one Reddit post and numerous submissions to ID-Ransomware where the victim upload a DeathRansom ransom note and a STOP Djvu encrypted file as part of the same submission. As STOP is only distributed through adware bundles and cracks, it is possible the DeathRansom may be distributed in a similar manner.
It's currently unclear whether victims of DeathRansom can recover their files for free. Users should therefore follow these steps to prevent a ransomware infection.
Join over 20,000 IT security pros who get our top stories delivered to their inbox every week!