DeathRansom Ransomware Can Actually Encrypt Files Now
DeathRansom ransomware was first reported in November 2019 but it was considered a joke until recently. According to cyber-security firm Fortinet [1,2], DeathRansom is now capable of encrypting files using a solid encryption scheme.
Previously, DeathRansom could only pretend to be ransomware without actually encrypting any users’ files. The initial versions would only add a file extension to all of the user’s files and send a ransom note demanding ransom money.
DeathRansom authors were just using it as a bait back then to trick victims into paying a ransom demand and the users would never realize that their files weren’t actually encrypted.
In fact, it was pretty simple to gain back access of the files. All they had to do was remove the second extension from any file.
New DeathRansom Strain Is Not A Joke Anymore
It seems that authors of DeathRansom continued working on the code and now the newer versions are working as actual ransomware.
Fortinet says that the new DeathRansom strains use a complex combination of “Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm to encrypt files.”
Security researchers are currently examining DeathRansom’s encryption scheme for implementation faults. But the ransomware appears to be using a solid encryption scheme.
And that’s not the only bad news. Apparently, DeathRansom is backed by a solid distribution campaign and spread via phishing email campaigns. Several users are falling victim to it on a daily basis for the past two months.