DeathRansom is a ransomware family that was initially classified as a joke because it did not implement an effective encryption scheme.
Researchers at Fortinet published an analysis that shows the threat evolving, it is now capable of encrypting files using strong encryption.
The experts pointed out that the ransomware is distributed in an efficient campaign and it
The DeathRansom ransomware was first spotted in November 2019, but at the time it was just a harmless code.
The first samples were only adding a file extension to all of a user’s files without encrypting them and they were dropping a ransom note on the victims’ computers.
The malware attempted to trick the victims into thinking that their systems were infected with ransomware.
Now the DeathRansom code was evolved and the latest versions effectively encrypt the files using a combination of the “Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm.
Experts from Fortinet also focused their investigation on the alleged author of the ransomware. The presence of certain strings in the source code of the DeathRansom and the analysis of the websites distributing the threat allowed the exports to link the ransomware to a malware operator that was very active in the last years.
The researchers identified a series of profiles on Iandex.Market, YouTube, Skype, VK, Instagram, and Facebook that were linked to the Russian citizen Egor Nedugov, living in Aksay, a small Russian town near Rostov-on-Don.
“Once we searched for “scat01” and “
“The name “Egor” corresponds to one of the underground nicknames, “SoftEgorka,” and the surname “Nedugov” corresponds to the Skype account “nedugov99”. According to the profile, this individual lives in Rostov-on-Don. Remember that the Yandex review made by scat01 was done from Aksay – a small town near Rostov-on-Don.”
Fortinet experts several online profiles used by the same actor, some of which were not included in their report.
According to the experts, the same individual was responsible for phishing attacks and scam attempts on his forum mates.”
“According to information on underground forums, this person is responsible for account stealing, carding, malware distribution, and even the phishing and scamming of his forum mates. That is why nearly all his accounts on underground forums were eventually banned.” continues the report.
Currently, DeathRansom is being distributed via phishing campaigns.
“FortiGuard Labs established a significant connection between the ongoing DeathRansom and Vidar malware campaigns. They share the naming pattern and infrastructure used. We also found evidence that a Vidar sample tried to download the DeathRansom malware.” concludes the report.
“We believe that an actor with the nickname scat01 could b
Additional technical details, including indicators of compromise (IoCs), are reported in the analysis published by Fortinet.