DeathRansom ransomware was first reported in November 2019 and was initially not considered as a proper encryption method.
The early implementations would only apply a file extension to all files of the victim and submit a ransom note demanding money from the ransom, but now it is designed to encrypt files using a robust encryption scheme, as per cyber-security firm Fortinet.
The author of DeathRansom used it as a trap back then to lure people into charging a ransom demand and the consumers would never notice that their data were not necessarily protected and it was pretty easy to get the files back by just removing the second extension from any file. It appears that DeathRansom author have decided to work on the program and the newest iterations are now operating as true ransomware with solid encryption this time.
Fortinet claims that the new DeathRansom strains use a complex combination of:
- Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme Curve25519 algorithm
- AES-256 ECB.
- A Basic XOR Block Algorithm to Encrypt Files
Now, cyber-security experts are investigating the DeathRansom encryption scheme for flaws in execution. But a strong encryption system appears to be used by the ransomware.
But that’s not all the unfortunate news. Apparently a strong marketing plan finances DeathRansom and promotes it via phishing email campaigns. For the last two months, most clients have been falling victim to it on a frequent basis.
Fortinet experts have targeted their analysis on the ransomware’s suspected publisher. The inclusion of certain strings in DeathRansom’s source code and the website review spreading the vulnerability made it possible for the exports to connect the ransomware to a malware distributor that has been very involved in recent years.
The operator was caught up in multi-password stealer campaigns, such as Vidar, Azorult, Evrial, 1ms0rryStealer, and miners such as SupremeMiner.
Past posts on hacking forums reveal that Nedugov, acting under the Scat01 username, had posted reviews for malware strains he was using at the time, and which Fortinet later tracked down and documented in their report — such as Vidar, Evrial, and SupremeMiner.
“That is why nearly all his accounts on underground forums were eventually banned,” Fortinet said.