Researchers have identified a surge of submissions related to the DeathRansom ransomware.
Previously, when it was first distributed, DeathRansom pretended to encrypt files and researchers discovered that they were able to remove the attached “.wctc” extension. However, as of recently, files are now actually becoming encrypted.
According to the ransomware identification site, ID Ransomware, since its initial surge the figures have dwindled, however there has been a growing increase of new victim, thus indicating that an active campaign is in progress.
It remains unknown as to how the ransomware is being distributed, nevertheless when DeathRansom is launched it will attempt to erase shadow volume copies. The ransomware will then encrypt all files on the victim’s device.
“Unlike the previous non-encryption version, the working DeathRansom variants do not append an extension to encrypted files and they just retain their original name. The data in these files is encrypted,” explained BleepingComputer.
The only way to identify if a file is encrypted by DeathRansom is by the “ABEFCDAB” file marker attached at the end of the encrypted files.
For each folder that contains an encrypted file, a ransom note containing a unique “LOCK-ID” for the victim is created. It will include an email address to contact the threat actor.
At this time of writing, it is not known if the ransomware can be decrypted, however it is currently being analysed.
The post #Privacy: DeathRansom ransomware has begun to infect victims appeared first on PrivSec Report.