The threat actors behind DeathRansom have now taken their venture seriously. DeathRansom, the ransomware that everyone previously considered a joke, is now encrypting the files for real.
Researchers from Fortinet have analyzed the DeathRansom malware and revealed that it has now started encrypting for real this time.
‘DeathRansom’, despite having a dangerous name, the malware was long considered a joke owing to its improper functioning. The malware surfaced online in November 2019, and it only impersonated ransomware by adding extensions to the victim’s data files. Unlike conventional ransomware, DeathRansom failed to properly encrypt the victim’s data. So, it was still possible for the victim to retrieve the data (only if a victim could realize the failed encryption) by removing the added extensions.
However, the Fortinet has revealed that DeathRansom has now transformed into a serious ransomware since it has begun encrypting data. Elaborating the technical details in the first part of their report, they stated,
Now, as it infects a target system, it encrypts the data and places a ransom note, like any other ransomware. The ransom note includes a unique LOCK-ID for the victim that is also present in the “HKCUSoftwareWacatacprivate” registry and encoded in base64.
Apart from the technical analysis, Fortinet also tracked down the threat actor behind DeathRansom.
In the second part of their report, Fortinet revealed that the DeathRansom operators are active for several years.