Security researchers observed that malware authors have made DeathRansom a proper crypto-ransomware family capable of encrypting victims’ files.

Fortinet began its analysis of DeathRansom by digging into a sample with a timestamp of Nov. 16, 2019. Upon successful infection, the sample checked the machine for several languages to avoid infecting a system located in an Eastern European country. Assuming those checks yielded no conflicts, the threat began enumerating network resources using Windows APIs and scanning those resources for normal directories. It then encoded, but did not encrypt, users’ data while avoiding important Windows folders and system files. Finally, it dropped a ransom note instructing victims to contact the attackers via email.

Victims of the sample described above could recover their files simply by removing the extension added by the malware. However, Fortinet found that wasn’t the case with more recent samples. Indeed, researchers found one sample that used a combination of five different algorithms to successfully encrypt a user’s files.

A Look Back at DeathRansom’s Recent Activity

DeathRansom’s handlers implemented the change described above shortly after its discovery by the security community. As noted by Carbon Black, security researchers first came across the malware in mid-November 2019. They quickly found that the threat behaved like other ransomware in that it both deleted volume shadow copies on an infected computer, thereby complicating the recovery process, and dropped a ransom note named read_me.txt in each encrypted file’s directory.

As reported by Bleeping Computer, DeathRansom’s handlers properly outfitted their creation with a viable encryption routine around Nov. 20, 2019. The computer self-help site also noted that many victims of those new DeathRansom samples reported concurrent infections involving STOP, another ransomware family commonly distributed via adware cracks and bundles.

How to Defend Against a DeathRansom Infection

Security professionals can help defend their organizations against a DeathRansom infection by integrating their security information and event management (SIEM), vulnerability management systems and other security tools. Doing so will help these solutions share threat data, thereby improving the organization’s security posture against evolving ransomware threats while saving the business time and money. Infosec personnel should also ensure that they have the latest threat intelligence and that they are feeding this information to network monitoring tools that are properly configured to address the organization’s needs.

More from

More School Closings Coast-to-Coast Due to Ransomware

Instead of snow days, students now get cyber days off. Cyberattacks are affecting school districts of all sizes from coast-to-coast. Some schools even completely shut down due to the attacks. The federal government recently warned that K-12 schools face a growing threat from cyber groups. According to the FBI, school districts often have limited cybersecurity protections, which makes them even more vulnerable. The FBI also says it anticipates the number of threats to increase. In a recent warning, the nation’s…

The Role of Human Resources in Cybersecurity

The human resources (HR) department is an integral part of an organization. They work with all departments with a wider reach than even IT. As a highly visible department, HR can support and improve an organization’s security posture through employee training. Their access to employees at the start of employment is an opportunity to lay a foundation for a culture of risk awareness. HR departments do not typically include cybersecurity risk awareness training with new hire onboarding, but it’s something…

New Attack Targets Online Customer Service Channels

An unknown attacker group is targeting customer service agents at gambling and gaming companies with a new malware effort. Known as IceBreaker, the code is capable of stealing passwords and cookies, exfiltrating files, taking screenshots and running custom VBS scripts. While these are fairly standard functions, what sets IceBreaker apart is its infection vector. Malicious actors are leveraging the helpful nature of customer service agents to deliver their payload and drive the infection process. Here’s a look at how IceBreaker…

Operational Technology: The evolving threats that might shift regulatory policy

Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. Attacks on Operational Technology (OT) and Industrial Control Systems (ICS) grabbed the headlines more often in 2022 — a direct result of Russia’s invasion of Ukraine sparking a growing willingness on behalf of criminals to target the ICS of critical infrastructure. Conversations about what could happen if these kinds of systems were compromised were once relegated to “what ifs” and disaster movie scripts. But those days are…