A ransomware called DeathRansom began with a rocky start, but has now resolved it's issues and has begun to infect victims and encrypt their data.
When DeathRansom was first being distributed, it pretended to encrypt files, but researchers and users found that they could just remove the appended .wctc extension and the files would become usable again.
Starting around November 20th, though, something changed.
Not only were victim's files actually becoming encrypted, but there was a surge of submissions related to DeathRansom on the ransomware identification site, ID Ransomware.
While the numbers have dwindled since that initial surge, we are still seeing a steady trickle of new victims, which means that there is mostly likely an active distribution campaign underway. Unfortunately, we have not discovered as of yet how this ransomware is being distributed.
What we do know is that like other ransomware, when DeathRansom is launched it will attempt to clear shadow volume copies.
It will then encrypt all files on the victim's computer other than those found whose full pathnames contain the following strings:
programdata
$recycle.bin
program files
windows
all users
appdata
read_me.txt
autoexec.bat
desktop.ini
autorun.inf
ntuser.dat
iconcache.db
bootsect.bak
boot.ini
ntuser.dat.log
thumbs.db
Unlike the previous non-encryption version, the working DeathRansom variants do not append an extension to encrypted files and they just retain their original name. The data in these files is encrypted.
The only way to identify that the file is encrypted by DeathRansom is by the
ABEFCDAB file marker appended to the end of encrypted files.In every folder that a file is encrypted, the ransomware will create a ransom note named read_me.txt that contains a unique "LOCK-ID" for the victim and an email address to contact the ransomware developer or affiliate.
The ransomware is currently being analyzed and it is not known if it can be decrypted at this time.
One strange thing that was noticed is that numerous victims who have been infected by DeathRansom were also infected by the STOP Ransomware.
This is seen in one Reddit post and numerous submissions to ID-Ransomware where the victim upload a DeathRansom ransom note and a STOP Djvu encrypted file as part of the same submission.
As STOP is only distributed through adware bundles and cracks, it is possible the DeathRansom may be distributed in a similar manner.
Source : Bleepingcomputer.com
