DeathRansom Ransomware Can Actually Encrypt Files Now ##VERIFIED##
When DeathRansom was first being distributed, it pretended to encrypt files, but researchers and users found that they could just remove the appended .wctc extension and the files would become usable again.
DeathRansom Ransomware Can Actually Encrypt Files Now
Unlike the previous non-encryption version, the working DeathRansom variants do not append an extension to encrypted files and they just retain their original name. The data in these files is encrypted.
In every folder that a file is encrypted, the ransomware will create a ransom note named read_me.txt that contains a unique "LOCK-ID" for the victim and an email address to contact the ransomware developer or affiliate.
An astute reader may have noticed that DeathRansom does not really encrypt file content. In this case, victims only have to rename the affected files (hint: remove the extension) to restore the system back to normal.
The new version of this ransomware uses a combination of Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm to encrypt files.
First DeathRansom infections were reported in November 2019. Initial versions of this ransomware were deemed a joke. At the time, DeathRansom merely mimicked being a ransomware without encrypting any of a user's files.
According to Fortinet, the new DeathRansom strains use a complex combination of "Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm to encrypt files." [see image above]
Currently, DeathRansom is being distributed via phishing email campaigns. The Fortinet report contains indicators of compromise that companies can include in their security products and prevent corporate systems from getting infected. Fortinet also said it's still working on analyzing the ransomware's encryption scheme foor any possible faults, which they hope to use to create a free decrypter to help past victims.
As the new year rolls in, new developments in different ransomware strains have emerged. Clop ransomware has evolved to integrate a process killer that targets Windows 10 apps and various applications. DeathRansom, with initial versions that masqueraded as ransomware, now has the ability to encrypt files. Maze ransomware has been increasingly targeting U.S. companies for stealing and encrypting data, as alerted by the Federal Bureau of Investigation (FBI).
The latest Clop ransomware variant has been updated and is now capable of terminating a total of 663 Windows processes, including Windows 10 and Microsoft Office applications, before proceeding with its encryption routine. It is not uncommon for ransomware variants to terminate processes before encrypting files; some attackers even disable security software to evade detection. This action could either mean that configuration files used by some of the terminated processes are targeted for encryption or the threat actors are merely trying to ensure that the malware closes as many files as possible for successful encryption.
But the newer versions are different. Fortinet researchers published a two-part analysis describing how DeathRansom now functions as an actual ransomware. The variant uses a combination of Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm for its encryption scheme. DeathRansom currently spreads through phishing campaigns.
Distributed in late December 2019, the warning indicates that the Bureau first observed the ransomware being wielded against U.S. victims last November. Upon successfully breaching the network, threat actors exfiltrate company files before encrypting machines and network shares. The actors then demand a target-specific ransom in exchange for the decryption key.
Organizations can strengthen their defenses against ransomware by updating their systems and applications to the latest versions and using multi-factor authentication. In case of a ransomware infection, we advise against paying the ransom as this does not guarantee the recovery of the encrypted files and may only encourage threat actors to further attack organizations. Here are other measures users and organizations can take to protect against ransomware:
Discovered by GrujaRS, DeathRansom is malicious software, classified as ransomware. In general, systems infected with malware of this type have their data encrypted. The cyber criminals behind the encryption then demand a ransom to be paid for decryption tools/software.
As was discovered by Michael Gillespie at the time of his research, however, DeathRansom did not actually encrypt any files, it simply appended them with the ".wctc" extension. Foe example, "1.jpg" becomes "1.jpg.wctc", and so on. After this process is complete, a text file - "read_me.txt" is created on the desktop.
The text file contains the ransom message and begins with a warning, all in capital letters, stating that this file must not be deleted. It is claimed that, if there are any decryption errors, without this file, the system will be corrupted. The message states that all of the victim's documents, photos, databases and other important files have been encrypted.
To prevent permanent data damage, victims are instructed not to rename the encrypted files or try decryption with third party software. In most cases of ransomware attacks, only the program that initially encrypted the data can decrypt it.
Despite paying, victims often receive none of the promised tools, which leaves their data encrypted and useless. Removing ransomware is necessary to stop it from further encryption, however, this will not restore already encrypted data. Although DeathRansom currently does not encrypt data, it is very likely that developers will release an updated, fully functioning variant.
Mbed, ANTEFRIGUS, Ninja, and Mespinoza are just some examples of other ransomware programs. All malware of this type is designed to encrypt files (or falsely suggest that this is being performed) and demand payment for decryption tools/software. These infections differ due to the cryptographic algorithm used for the encryption and by ransom size.
Update November 21, 2019 - Cyber criminals have recently released an updated variant of DeathRansom ransomware, which now actually encrypts data, yet no longer appends any extension. The ransom message is also slightly different.
???????????????????????????????DEATHRansom ????????????????????????????????Hello dear friend,Your files were encrypted!You have only 12 hours to decrypt itIn case of no answer our team will delete your decryption passwordWrite back to our e-mail: deathransom@airmail.ccIn your message you have to write:1. YOU LOCK-ID: -2. Time when you have paid 0.1 btc to this bitcoin wallet:1J9CG9KtJZVx1dHsVcSu8cxMTbLsqeXM5NAfter payment our team will decrypt your files immediatlyFree decryption as guarantee:1. File must be less than 1MB2. Only .txt or .lnk files, no databases3. Only 1 files How to obtain bitcoin:The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.hxxps://localbitcoins.com/buy_bitcoinsAlso you can find other places to buy Bitcoins and beginners guide here:hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/
Some ransomware-type infections are designed to encrypt files within external storage devices, infect them, and even spread throughout the entire local network. For this reason, it is very important to isolate the infected device (computer) as soon as possible.
As mentioned above, ransomware might encrypt data and infiltrate all storage devices that are connected to the computer. For this reason, all external storage devices (flash drives, portable hard drives, etc.) should be disconnected immediately, however, we strongly advise you to eject each device before disconnecting to prevent data corruption:
Some ransomware-type might be able to hijack software that handles data stored within "the Cloud". Therefore, the data could be corrupted/encrypted. For this reason, you should log-out of all cloud storage accounts within browsers and other related software. You should also consider temporarily uninstalling the cloud-management software until the infection is completely removed.
This, however, is rare. In most cases, ransomware infections deliver more direct messages simply stating that data is encrypted and that victims must pay some sort of ransom. Note that ransomware-type infections typically generate messages with different file names (for example, "_readme.txt", "READ-ME.txt", "DECRYPTION_INSTRUCTIONS.txt", "DECRYPT_FILES.html", etc.). Therefore, using the name of a ransom message may seem like a good way to identify the infection. The problem is that most of these names are generic and some infections use the same names, even though the delivered messages are different and the infections themselves are unrelated. Therefore, using the message filename alone can be ineffective and even lead to permanent data loss (for example, by attempting to decrypt data using tools designed for different ransomware infections, users are likely to end up permanently damaging files and decryption will no longer be possible even with the correct tool).
Another way to identify a ransomware infection is to check the file extension, which is appended to each encrypted file. Ransomware infections are often named by the extensions they append (see files encrypted by Qewe ransomware below).
This method is only effective, however, when the appended extension is unique - many ransomware infections append a generic extension (for example, ".encrypted", ".enc", ".crypted", ".locked", etc.). In these cases, identifying ransomware by its appended extension becomes impossible. 350c69d7ab