Beware of DeathRansom Ransomware: It Can Now Encrypt Your Files for Real
DeathRansom ransomware is a new threat that has emerged in the cyber-security landscape. It was first reported in November 2019, but it was considered a joke until recently. According to Fortinet [^2^], DeathRansom is now capable of encrypting files using a solid encryption scheme. Previously, DeathRansom could only pretend to be ransomware without actually encrypting any usersâ files.
How DeathRansom Ransomware Became a Real Threat to Your Files
In this article, we will explain what DeathRansom ransomware is, how it works, how it is distributed, and how you can protect yourself from this malicious software.
What is DeathRansom Ransomware?
DeathRansom ransomware is a type of malware that encrypts the files on a victim's computer and demands a ransom for their decryption. The ransomware appends a .wctc extension to the encrypted files and drops a ransom note named read_me.txt in every folder where it has encrypted a file. The ransom note contains a unique \"LOCK-ID\" for the victim and an email address to contact the attackers for payment instructions.
The initial versions of DeathRansom ransomware were not actually encrypting the files, but only changing their extensions. This means that the victims could easily recover their files by removing the .wctc extension. However, starting from November 20th, 2019, DeathRansom ransomware has evolved and started to use a complex combination of encryption algorithms to lock the files. These include Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm.
The new variants of DeathRansom ransomware do not append any extension to the encrypted files, but they add a file marker \"ABEFCDAB\" at the end of each file. This makes it harder to identify which files are affected by the ransomware.
Encrypted file with file marker (Source: Bleeping Computer)
How is DeathRansom Ransomware Distributed?
The exact distribution method of DeathRansom ransomware is not clear yet, but there are some clues that suggest that it may be spread via phishing email campaigns or adware bundles and cracks. Bleeping Computer [^4^] has found a connection between DeathRansom ransomware and STOP ransomware, another malware that is distributed through adware bundles and cracks. Some victims have reported that they were infected by both DeathRansom and STOP ransomware at the same time.
Phishing email campaigns are a common way of delivering malware to unsuspecting users. The attackers send emails that look like legitimate messages from reputable organizations or individuals, but contain malicious attachments or links that lead to malware downloads. The users are tricked into opening the attachments or clicking on the links, which then execute the malware on their computers.
Adware bundles and cracks are another way of distributing malware. Adware bundles are software packages that contain unwanted or malicious programs along with legitimate ones. The users are lured into downloading and installing these bundles by offering free or discounted software or services. Cracks are tools that allow users to bypass the activation or licensing process of paid software. However, these tools may also contain malware that infects the users' computers when they run them.
How to Protect Yourself from DeathRansom Ransomware?
The best way to protect yourself from DeathRansom ransomware is to prevent it from infecting your computer in the first place. Here are some tips to help you avoid becoming a victim of this malware:
Do not open email attachments or click on links from unknown or suspicious senders. Verify the sender's identity and the legitimacy of the message before opening any attachments or links.
Do not download or install software from untrusted sources. Only use official websites or reputable platforms to download or update your software.
Do not use cracks or pirated software. They may contain malware that can compromise your computer and data.