DeathRansom, one of the newest ransomware variants, had a questionable start to its campaign, but researchers believe the ransomware is now capable of encrypting files on victims’ computers. Previously, the ransomware would pretend to encrypt the files on victims’ computers, but actually just re-named files. Victims merely had to remove the .wctc extension that was added to the files and they would become usable again. Around November 20th, the ransomware was seen properly encrypting the files on victim’s computers. At the same time, a surge appeared on ID ransomware–a ransomware identification website. The surge is a sign that there were more samples of the ransomware being uploaded to the website. The distribution method is not currently known, and the initial surge seems to have slowed, but there is still a steady trickle of new victims being found.
Analyst Notes
Many attempts to develop ransomware in the past have left the implementation incomplete or incorrect, giving victims the opportunity to recover files without paying the ransom. Other ransomware campaigns have been thwarted when researchers discovered decryption keys and made them publicly available. It is important for companies and individuals who have suffered a ransomware attack to obtain professional advice to determine whether files can be recovered. After the issue with DeathRansom was fixed, the actor likely made a mass distribution of the ransomware trying to infect as many computers as quickly as possible. Although it is not known what the actual distribution method is at this time, if it is via email, the steady trickle of victims still reporting could be due to people who did not open the email right away. Researchers believe that there is still an ongoing campaign to distribute this ransomware. Using a defense-in-depth strategy that includes not only firewalls and antivirus products, but also an endpoint detection and response (EDR) capability such as Binary Defense’s Vision Managed EDR, with skilled analysts to monitor for attacker behavior, is the best approach to find and stop these types of attacks before they can spread across a network, limiting the amount of data a threat actor would be able to steal or encrypt.
More details can be found here: https://www.bleepingcomputer.com/news/security/new-deathransom-ransomware-begins-to-make-a-name-for-itself/
