DeathRansom ransomware evolves encrypting files, but experts identified its author

DeathRansom was considered fake ransomware due to the fact that it did not implement an effective encryption process, but now things are changing.

DeathRansom is a ransomware family that was initially classified as a joke because it did not implement an effective encryption scheme.

Researchers at Fortinet published an analysis that shows the threat evolving, it is now capable of encrypting files using strong encryption.

The experts pointed out that the ransomware is distributed in an efficient campaign and it was able to infect new victims on a daily basis for the past two months.

The DeathRansom ransomware was first spotted in November 2019, but at the time it was just a harmless code.

The first samples were only adding a file extension to all of a user’s files without encrypting them and they were dropping a ransom note on the victims’ computers.

The malware attempted to trick the victims into thinking that their systems were infected with ransomware.

Now the DeathRansom code was evolved and the latest versions effectively encrypt the files using a combination of the “Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm.

Experts from Fortinet also focused their investigation on the alleged author of the ransomware. The presence of certain strings in the source code of the DeathRansom and the analysis of the websites distributing the threat allowed the exports to link the ransomware to a malware operator that was very active in the last years.

The operator was involved in campaigns distributing multiple password stealers, including Vidar, Azorult, Evrial, 1ms0rryStealer, and miners like SupremeMiner.

Files names and paths observed in numerous campaigns conducted by the operator revealed a link to the scat01 and SoftEgorka nicknames, the vitasa01[@]yandex.ru email address, a Russian phone number, and the gameshack[.]ru website.

The researchers identified a series of profiles on Iandex.Market, YouTube, Skype, VK, Instagram, and Facebook that were linked to the Russian citizen Egor Nedugov, living in Aksay, a small Russian town near Rostov-on-Don.

“Once we searched for “scat01” and “vidar” on the Russian underground forums, we found a person with the same nickname providing a review (in Russian) of the Vidar stealer” reads the report published by Fortinet.

“The name “Egor” corresponds to one of the underground nicknames, “SoftEgorka,” and the surname “Nedugov” corresponds to the Skype account “nedugov99”. According to the profile, this individual lives in Rostov-on-Don. Remember that the Yandex review made by scat01 was done from Aksay – a small town near Rostov-on-Don.”

Fortinet experts several online profiles used by the same actor, some of which were not included in their report.

According to the experts, the same individual was responsible for phishing attacks and scam attempts on his forum mates.”

“According to information on underground forums, this person is responsible for account stealing, carding, malware distribution, and even the phishing and scamming of his forum mates. That is why nearly all his accounts on underground forums were eventually banned.” continues the report.

Currently, DeathRansom is being distributed via phishing campaigns.

“FortiGuard Labs established a significant connection between the ongoing DeathRansom and Vidar malware campaigns. They share the naming pattern and infrastructure used. We also found evidence that a Vidar sample tried to download the DeathRansom malware.” concludes the report.

“We believe that an actor with the nickname scat01 could beresponsible for the latest DeathRansom attack, as well as other malicious attacks. We also found evidence of strong Russian roots in the malware being distributed. Based on the evidence left on Russian underground forums, we were able to find a person who seems to likely to be behind these malicious campaigns.”

Additional technical details, including indicators of compromise (IoCs), are reported in the analysis published by Fortinet.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – DeathRansom ransomware, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]