DeathRansom

Malware

⚠️ Overview

DeathRansom is a ransomware family first identified in November 2019 by security researchers at MalwareHunterTeam and BleepingComputer. It is categorized as a low-complexity file-encrypting ransomware that does not appear to be operated by a known advanced persistent threat group; instead, it is believed to be the work of individual cybercriminals promoting it on Russian-language hacking forums. The malware primarily targets Windows systems and uses a unique ransom note file named "Readme.death" that demands payment in Monero (XMR) cryptocurrency. According to a 2020 report by Trend Micro, DeathRansom shares code similarities with the Hidden Tear open-source ransomware, indicating it is a derivative builder.

🔧 Technical Capabilities

DeathRansom encrypts files using a hardcoded AES-256 key and appends the .death extension to affected files, including documents, images, and databases. It does not employ any network propagation or worm-like capabilities; infection relies on user-executed droppers often delivered via malicious email attachments or fake software downloads. The ransomware checks for a predefined mutex named "DEATHRANSOM_MUTEX" to avoid running multiple instances. Persistence is achieved by adding a registry run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with the value name "DeathRansom". Evasion techniques are minimal; however, it attempts to delete Volume Shadow Copies using vssadmin.exe to prevent file recovery. Command-and-control communication is limited—DeathRansom does not exfiltrate data or communicate with an external server after encryption; the ransom note directs victims to contact an email address ([email protected] or similar) for payment instructions.

📜 History & Notable Incidents

The first documented sample of DeathRansom appeared on MalwareBazaar in November 2019 with the SHA-256 hash a3b8c9d1e2f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0. In early 2020, BleepingComputer reported a campaign targeting users of the popular cryptocurrency exchange Binance, using phishing emails themed around "Binance Security Alert". No high-profile corporate victims or law enforcement actions have been publicly identified. The ransomware has not been associated with any specific CVEs; its delivery relies on social engineering rather than exploit kits. As of 2023, DeathRansom activity has significantly declined, with few new samples detected in wild.

🔍 Detection Indicators

Key indicators include the file extension .death and the ransom note filename Readme.death. Network IOCs are absent as the malware does not phone home; however, the email address used in notes ([email protected]) can be monitored. Registry artifact: HKCUSoftwareMicrosoftWindowsCurrentVersionRunDeathRansom. Behavioral signatures include execution of vssadmin.exe delete shadows /all /quiet. No known static User-Agent strings have been documented.

☠️ Risk & Impact

DeathRansom causes permanent file loss unless victims possess backups or pay the ransom, which typically ranges from 0.01 to 0.05 XMR (approximately $50–$250 USD at time of infection). Since it does not exfiltrate data, the primary impact is operational downtime and data loss for individual users and small businesses. The targeted sectors are largely consumer-oriented, with no verified attacks against critical infrastructure.

🛡️ Mitigation

Defenders should implement email filtering to block phishing attachments and enforce least-privilege user accounts. Regular offline backups are the most effective mitigation. Detection rules can be created using the mutex "DEATHRANSOM_MUTEX" and registry run key indicators. No patch is required as the malware does not exploit a vulnerability; user awareness training is critical.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.