DEATHRANSOM is ransomware written in C that has been used since at least 2020, and has potential overlap with FIVEHANDS and HELLOKITTY.
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols||
DEATHRANSOM can use HTTPS to download files.
|Enterprise||T1486||Data Encrypted for Impact||
DEATHRANSOM can use public and private key pair encryption to encrypt files for ransom payment.
|Enterprise||T1083||File and Directory Discovery||
DEATHRANSOM can use loop operations to enumerate directories on a compromised host.
|Enterprise||T1105||Ingress Tool Transfer||
DEATHRANSOM can download files to a compromised host.
|Enterprise||T1490||Inhibit System Recovery||
DEATHRANSOM can delete volume shadow copies on compromised hosts.
|Enterprise||T1135||Network Share Discovery||
DEATHRANSOM has the ability to use loop operations to enumerate network resources.
|Enterprise||T1082||System Information Discovery||
DEATHRANSOM can enumerate logical drives on a target system.
|Enterprise||T1614||.001||System Location Discovery: System Language Discovery||
Some versions of DEATHRANSOM have performed language ID and keyboard layout checks; if either of these matched Russian, Kazakh, Belarusian, Ukrainian or Tatar DEATHRANSOM would exit.
|Enterprise||T1047||Windows Management Instrumentation||
DEATHRANSOM has the ability to use WMI to delete volume shadow copies.