DEATHRANSOM is ransomware written in C that has been used since at least 2020, and has potential overlap with FIVEHANDS and HELLOKITTY.[1]

ID: S0616
Platforms: Windows
Version: 1.0
Created: 02 June 2021
Last Modified: 18 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

DEATHRANSOM can use HTTPS to download files.[1]

Enterprise T1486 Data Encrypted for Impact

DEATHRANSOM can use public and private key pair encryption to encrypt files for ransom payment.[1]

Enterprise T1083 File and Directory Discovery

DEATHRANSOM can use loop operations to enumerate directories on a compromised host.[1]

Enterprise T1105 Ingress Tool Transfer

DEATHRANSOM can download files to a compromised host.[1]

Enterprise T1490 Inhibit System Recovery

DEATHRANSOM can delete volume shadow copies on compromised hosts.[1]

Enterprise T1135 Network Share Discovery

DEATHRANSOM has the ability to use loop operations to enumerate network resources.[1]

Enterprise T1082 System Information Discovery

DEATHRANSOM can enumerate logical drives on a target system.[1]

Enterprise T1614 .001 System Location Discovery: System Language Discovery

Some versions of DEATHRANSOM have performed language ID and keyboard layout checks; if either of these matched Russian, Kazakh, Belarusian, Ukrainian or Tatar DEATHRANSOM would exit.[1]

Enterprise T1047 Windows Management Instrumentation

DEATHRANSOM has the ability to use WMI to delete volume shadow copies.[1]