{"id":17332,"date":"2020-01-02T19:40:19","date_gmt":"2020-01-03T03:40:19","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2020\/01\/02\/news-11068\/"},"modified":"2020-01-02T19:40:19","modified_gmt":"2020-01-03T03:40:19","slug":"news-11068","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2020\/01\/02\/news-11068\/","title":{"rendered":"The Curious Case of DeathRansom: Part I"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\">\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i><b>A FortiGuard Labs Threat Analysis Report<\/b><\/i><\/p>\n<h2>Introduction<\/h2>\n<p>Ransomware is certainly a significant global threat. According to one recent <a href=\"https:\/\/safeatlast.co\/blog\/ransomware-statistics\/#gref\">report<\/a>, ransomware is estimated to have cost businesses more than $8 billion in 2018, up from just $1 billion in 2016, while this year alone losses for the healthcare industry have already reached $25 billion.<\/p>\n<p>Part of this increase is due to the rise of Ransomware as a Service, with variants such as GandCrab generating as much as $2 billion in revenue for its developers, and our observation in the <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/fortinet-q3-threat-landscape-report.html\">FortiGuard Labs Threat Landscape Report for Q3<\/a> that two additional ransomware families \u2013 Sodinokibi and Nemty \u2013 have now been deployed as RaaS solutions as well. Another part of the reason for this growth is that cybercriminals continue to develop new ransomware variants. This dramatic escalation of ransomware over the past few years is part of the reason why we here at FortiGuard Labs <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/looking-into-anatova-ransomware.html\">keep such close track<\/a> of it.<\/p>\n<p>And recently, our threat radar detected a new ransomware variant that we break down for you in this threat analysis, ominously called DeathRansom. In this analysis, we will first be looking at a version with a SHA256 sample of:<\/p>\n<p>7C2DBAD516D18D2C1C21ECC5792BC232F7B34DADC1BC19E967190D79174131D1<\/p>\n<p>Subsequent samples exhibit slightly different behaviors, as we describe later in our analysis.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-new-strain-ransomware\/_jcr_content\/root\/responsivegrid\/image_1422201956.img.png\/1576796022489\/deathransom-two.png\" alt=\"Figure 1. TimeDateStamp of the sample\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1. TimeDateStamp of the sample<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>As you can see, the <b>TimeDateStamp <\/b>of this sample is very new (Sat Nov 16 08:37:02 2019), so naturally, we decided to dig deeper and learn more.<\/p>\n<h2>The Workflow of the DeathRansom Ransomware<\/h2>\n<p>At a high level, this ransomware follows a sensible design: it scans and encrypts files on local and network drives.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--11 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-new-strain-ransomware\/_jcr_content\/root\/responsivegrid\/image_1229269136.img.png\/1576796051606\/deathransom-three.png\" alt=\"Figure 2. start()\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2. start()<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>It\u2019s clear that right off the bat (in <b>start()<\/b> ), that DeathRansom gets right to the business of being a ransomware: by enumerating and encrypting files. To enumerate network resources, the malware uses standard Windows APIs (<b>WNetOpenEnumW<\/b>, <b>WNetEnumResourceW<\/b> etc.)<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--10 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-new-strain-ransomware\/_jcr_content\/root\/responsivegrid\/image_1791585097.img.png\/1576796076263\/deathransom-four.png\" alt=\"Figure 3. Recursively Scanning Network Resources \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 3. Recursively Scanning Network Resources <\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Inside this function (<b>processNetwork<\/b>), it recursively scans network resources until it hits a normal directory, at which point it processes it like a directory (<b>processDir<\/b>).<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--12 aem-GridColumn--offset--default--0\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-new-strain-ransomware\/_jcr_content\/root\/responsivegrid\/image_587903611.img.png\/1576796105140\/deathransom-five.png\" alt=\"Figure 4. processDir()\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 4. processDir()<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Just like <b>processNetwork,<\/b> <b>processDir<\/b> is also recursive. The difference is that it needs to perform some sanity checks to make sure that the item is indeed a folder (but not <b>\u201c.\u201d<\/b> or <b>\u201c..\u201d<\/b>), and further, that the item is not excluded (see <b>exclusion2<\/b>, below).\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-new-strain-ransomware\/_jcr_content\/root\/responsivegrid\/image.img.png\/1576796198475\/deathransom-six.png\" alt=\"Figure 5. Exclusions\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 5. Exclusions<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>We can see here that the malware author has made a number of reasonable choices, including:<\/p>\n<ul>\n<li>Excluding important Windows folders (Program Files, Windows, etc) to avoid rendering the system unusable<\/li>\n<li>When it comes to files, similar checks also occur.<\/li>\n<li>DeathRansom also avoids \u201cencrypting\u201d the systems files (ntuser.dat, etc)<\/li>\n<\/ul>\n<p>Certainly, this list is not comprehensive, but it does show that the author does have some skills and knowledge about system programming.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-new-strain-ransomware\/_jcr_content\/root\/responsivegrid\/image_989490801.img.png\/1576796224242\/deathransom-seven.png\" alt=\"Figure 6. \u201cEncrypting\u201d Files\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 6. \u201cEncrypting\u201d Files<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>An astute reader may have noticed that DeathRansom does <b>not<\/b> really encrypt file content. In this case, victims only have to rename the affected files (hint: remove the extension) to restore the system back to normal.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-new-strain-ransomware\/_jcr_content\/root\/responsivegrid\/image_938513709.img.png\/1576796252145\/deathransom-eight.png\" alt=\"Figure 7. Ransom Note \"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 7. Ransom Note <\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In spite of this, like almost all ransomware, DeathRansom still displays a ransom note called read_me.txt. In that note one can see clearly that the author calls the malware DEATHRANSOM. The email also informs its victims that they need to contact the culprits at <b>death@cxxxxxxver.me<\/b> and <b>death@fxxxxxxx.cc<\/b><\/p>\n<h2>Other Interesting Technical Details<\/h2>\n<p>When the malware launches, but before it begins \u201cencoding\u201d files, it performs some interesting checks about the languages used in the victim\u2019s system.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-new-strain-ransomware\/_jcr_content\/root\/responsivegrid\/image_1905354027.img.png\/1576796275204\/deathransom-nine.png\" alt=\"Figure 8. Language Checks\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 8. Language Checks<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>We can use LangID to look up the names of these language from the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/intl\/language-identifier-constants-and-strings\">authoritative source<\/a> at Microsoft.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-new-strain-ransomware\/_jcr_content\/root\/responsivegrid\/image_375220309.img.png\/1576796298663\/deathransom-ten.png\" alt=\"Figure 9. Language Identifier Constants and Strings\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 9. Language Identifier Constants and Strings<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Interestingly, DeathRansom checks not just for one language but several languages, but we can still see a clear pattern: it avoids infecting systems in Eastern European countries.<\/p>\n<p>We also managed to extract some interesting information from an undocumented header (specifically, the <a href=\"https:\/\/www.ntcore.com\/files\/richsign.htm\">Rich Signature<\/a>):<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-new-strain-ransomware\/_jcr_content\/root\/responsivegrid\/image_1256140278.img.png\/1576796324041\/deathransom-ten.png\" alt=\"Figure 10. Rich Signature\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 10. Rich Signature<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Based on this information, we were able to figure out the product used to make this malware. Notice the following extra marks used in the descriptions:<\/p>\n<p style=\"margin-left: 40.0px;\">+ [ C ] &#8211; object files produced by C compiler<\/p>\n<p style=\"margin-left: 40.0px;\">+ [IMP] &#8211; DLL import record in library file<\/p>\n<p style=\"margin-left: 40.0px;\">+ [LNK] &#8211; files produced by a linker<\/p>\n<p style=\"margin-left: 40.0px;\">product id: 0x0083 = MSVS2008 [ C ]<\/p>\n<p style=\"margin-left: 40.0px;\">product id: 0x0004 = MSVS6 [LNK]<\/p>\n<p style=\"margin-left: 40.0px;\">product id: 0x000E = ?<\/p>\n<p style=\"margin-left: 40.0px;\">product id: 0x0093 = MSVS2008 [IMP]<\/p>\n<p style=\"margin-left: 40.0px;\">product id: 0x0001 Objects without @comp.id<\/p>\n<p style=\"margin-left: 40.0px;\">product id: 0x0109 = ?<\/p>\n<p style=\"margin-left: 40.0px;\">product id: 0x0102 = VS 2019 \/ 2017 \/ 2015 [LNK]<\/p>\n<p>It\u2019s interesting that a product from 1998 (e.g. MSVS6) is still being used to make malware.<\/p>\n<h2><b>New Version Encrypts Files<\/b><\/h2>\n<p>Recently, we found a new version of DeathRansom, and the primary change is that the malware now actually encrypts files. Our analysis is focused on a sample with the SHA256 hash of:<\/p>\n<p><i>ab828f0e0555f88e3005387cb523f221a1933bbd7db4f05902a1e5cc289e7ba4<\/i>.<\/p>\n<p>The new version of this ransomware uses a combination of Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm to encrypt files.\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn aem-GridColumn--default--12\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-new-strain-ransomware\/_jcr_content\/root\/responsivegrid\/image_1070718894.img.png\/1576796377925\/deathransom-twelve.png\" alt=\"Figure 11. Key generation and file encryption\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 11. Key generation and file encryption<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b>Diffie-Hellman Key Exchange<\/b><\/p>\n<p style=\"margin-left: 40.0px;\">1. A random 32-byte value is generated using <i><a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/ntsecapi\/nf-ntsecapi-rtlgenrandom\">advapi32.SystemFunction036\u00a0<\/a><\/i>(the same as RtlGenRandom). This serves as the victim\u2019s curve25519 private key to the ECDH key exchange.<\/p>\n<p> 2. Using the <a href=\"https:\/\/cr.yp.to\/ecdh.html\">Curve25519<\/a> algorithm, the victim\u2019s Curve25519 public key is derived from the victim\u2019s Curve25519 private key. This is the main information needed by the attacker to eventually decrypt the victim\u2019s files. This is included in the registry \u201cHKCUSoftwareWacatacprivate\u201d as shown below. <\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--7 aem-GridColumn--offset--default--2\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-new-strain-ransomware\/_jcr_content\/root\/responsivegrid\/image_565870397.img.png\/1576796413457\/deathransom-thirteen.png\" alt=\"Figure 12. Added Registries\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 12. Added Registries<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p style=\"margin-left: 40.0px;\">3. Using the Curve25519 algorithm, a shared secret key is derived from a 32-byte hardcoded value (the attacker\u2019s Curve25519 public key) and the previously generated victim\u2019s Curve25519 private key described in step 1.<\/p>\n<p style=\"margin-left: 40.0px;\">4. The SHA256 hash of the shared secret key is computed, which will be used later on.<\/p>\n<p><b>RSA Key Pair Generation<\/b><\/p>\n<p style=\"margin-left: 40.0px;\">5. An RSA-2048 key pair is generated<\/p>\n<p style=\"margin-left: 40.0px;\">6. The RSA-2048 private key is encrypted using Salsa20, with the secret key\u2019s SHA256 hash (from step 4, above) and then included in the registry file \u201cHKCUSoftwareWacatacprivate\u201d (see Fig 12).<\/p>\n<p style=\"margin-left: 40.0px;\">7. The RSA-2048 public key is written in the registry file \u201cHKCUSoftwareWacatacpublic\u201d (see Fig 12).<\/p>\n<p><b>File Encryption<\/b><\/p>\n<p style=\"margin-left: 40.0px;\">8. A random 32-byte value is generated using the advapi32.SystemFunction036, which is used as the AES-256 key. This is done for every file.<\/p>\n<p style=\"margin-left: 40.0px;\">9. A 16-byte hardcoded value is encrypted with AES-256 ECB, using the previously generated random value as the AES-256 key.<\/p>\n<p style=\"margin-left: 40.0px;\">10. The result from step 9 is the used as the key to a 16-byte block XOR operation with the content of the targeted file.<\/p>\n<p style=\"margin-left: 40.0px;\">11. Repeat steps 9 and 10 while incrementing the hard-coded value by 1 on each loop until it encrypts the whole file or until it encrypts 4 kilobytes (4096 bytes).<\/p>\n<p style=\"margin-left: 40.0px;\">12. The AES key (from step 8) is encrypted using the victim\u2019s RSA-2048 public key (generated in step 5)<\/p>\n<p style=\"margin-left: 40.0px;\">13. The encrypted AES key and the marker 0xABEFCDAB, is then appended to the encrypted file.\u00a0 \u00a0\u00a0<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--5 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-new-strain-ransomware\/_jcr_content\/root\/responsivegrid\/image_374860220.img.png\/1576796455972\/deathransom-fourteen.png\" alt=\"Figure 13. Encrypted file format\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 13. Encrypted file format<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Ultimately, for the victim files to be decrypted the shared secret must be generated. And for that, at least one of the following pairs is needed:<\/p>\n<ul>\n<li>The victim\u2019s curve25519 public key (which can be obtained from registry or ransom note) and the attacker\u2019s curve25519 private key (possessed by attacker)<\/li>\n<li>The attacker\u2019s curve25519 public key (embedded in the binary) and the victim\u2019s curve25519 private key (lost after the malware\u2019s execution)<\/li>\n<\/ul>\n<p><i>NOTE: Further investigation of this ransomware\u2019s encryption behavior in underway to check for any implementation flaws. We will be releasing updates for any new findings.<\/i><\/p>\n<p>After encryption, it drops a ransom note in every directory. It includes a LOCK-ID that is unique for every user. This is the same data that can be found in the \u201cHKCUSoftwareWacatacprivate\u201d registry and encoded in base64.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn--default--9 aem-GridColumn aem-GridColumn--offset--default--1\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-new-strain-ransomware\/_jcr_content\/root\/responsivegrid\/image_1910795942.img.png\/1576796535626\/deathransom-fifteen.png\" alt=\"Figure 14. New Ransom Note\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 14. New Ransom Note<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Aside from a connection to <i>hxxps:\/\/iplogger[.]org\/1Zqq77<\/i> to get the victim\u2019s public IP address, the ransomware does not have any other network communication. However, as we discussed in the previous section, to generate the shared secret key needed to decrypt the files the attacker must obtain the victim\u2019s curve25519 public key. This is why the instruction to the victim in the ransom note is for them to send the LOCK-ID through email.<\/p>\n<h2>Solution<\/h2>\n<p>Internal testing by FortiGuard Labs shows that all networks and devices being protected by FortiGate solutions running the latest updates were automatically protected from this malware. In addition:<\/p>\n<ul>\n<li>The FortiGuard Web Filtering service blocks hxxps:\/\/iplogger[.]org\/1Zqq77\n<\/li>\n<li>The FortiGuard Antivirus service detects the SHA 256 samples used in this analysis as the following:<\/li>\n<\/ul>\n<p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a07C2DBAD516D18D2C1C21ECC5792BC232F7B34DADC1BC19E967190D79174131D1<\/p>\n<p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8211; This is detected as W32\/Filecoder.B!tr.ransom<\/p>\n<p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a013D263FB19D866BB929F45677A9DCBB683DF5E1FA2E1B856FDE905629366C5E1<\/p>\n<p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0AB828F0E0555F88E3005387CB523F221A1933BBD7DB4F05902A1E5CC289E7BA4<\/p>\n<p>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0&#8211; These are detected as W32\/Kryptik.ANT!tr<\/p>\n<p>Finally, as part of our membership in the\u00a0<a href=\"https:\/\/www.cyberthreatalliance.org\/\">Cyber Threat Alliance<\/a>, details of this threat were shared in real time with other Alliance members to help create better protections for customers.<b><\/b><\/p>\n<h2>Conclusion<\/h2>\n<p>DeathRansom is a new malware. Naturally, things are moving fast. In our experience, a malware author changes the malware often over time to improve features or to avoid detection. In fact, after out intital assessment of the first version of DeathRansom we noticed a short article describing how DeathRansom had begun encrypting files, making them inaccessible. Our research confirmed that, indeed, the malware author has addressed the missing part of the initial release and DeathRansom has now become a \u201cproper\u201d ransomware.<\/p>\n<p>In a future analysis we \u00a0will try to shed light on how DeathRansom can be associated with other attacks, and who may be behind the creation of this malicious programs. Please stay tuned.<\/p>\n<p>In the meantime, FortiGuard Labs will keep monitoring the situation and keep everybody protected.<\/p>\n<p><i>The author would like to thank Artem Semenchenko, Rommel Joven and Joie Salvio for additional insights during the research process.<\/i><\/p>\n<h2>IOCs<\/h2>\n<p>Samples:<\/p>\n<p>7C2DBAD516D18D2C1C21ECC5792BC232F7B34DADC1BC19E967190D79174131D1<\/p>\n<p>13D263FB19D866BB929F45677A9DCBB683DF5E1FA2E1B856FDE905629366C5E1<\/p>\n<p>AB828F0E0555F88E3005387CB523F221A1933BBD7DB4F05902A1E5CC289E7BA4<\/p>\n<p>Network:<\/p>\n<p><i>hxxps:\/\/iplogger[.]org\/1Zqq77<\/i><\/p>\n<p><i>Learn more about\u00a0how\u00a0<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">FortiGuard Labs<\/a>\u00a0provides\u00a0unmatched security and intelligence services using integrated\u00a0<a href=\"https:\/\/twitter.com\/hashtag\/AI?src=hashtag_click\">AI<\/a>\u00a0systems.\u00a0Find out about\u00a0the FortiGuard Security Services\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions.html?utm_source=blog&amp;utm_campaign=2018-blog-security-services\">portfolio<\/a>\u00a0and s<a href=\"https:\/\/www.fortinet.com\/fortiguard\/threat-intelligence\/threat-research.html?utm_source=nreleaseblog&amp;utm_campaign=2018-q2-fortiguardlabs-cta\">ign up<\/a>\u00a0for our weekly FortiGuard Threat Brief.\u00a0<\/i><\/p>\n<p><i>Read about the FortiGuard\u00a0<a href=\"https:\/\/www.fortinet.com\/support-and-training\/support-services\/fortiguard-security-subscriptions\/security-rating.html?utm_source=blog&amp;utm_campaign=2018-blog-security-rating-service\">Security Rating Service<\/a>, which provides security audits and best practices\u00a0to guide customers in designing, implementing, and maintaining the security posture best suited for their\u00a0organization.<\/i>\u00a0<\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-qxx1b0gslklfu2kjckea-holder\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<p><a href=\"http:\/\/feedproxy.google.com\/~r\/fortinet\/blog\/threat-research\/~3\/rNfW4y_VtUg\/death-ransom-new-strain-ransomware.html\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/death-ransom-new-strain-ransomware\/_jcr_content\/root\/responsivegrid\/image_1422201956.img.png\/1576796022489\/deathransom-two.png\"\/><br \/>Read FortiGuard Labs&#8217; analysis of a new strain of ransomware dubbed DeathRansom.&lt;img src=&#8221;http:\/\/feeds.feedburner.com\/~r\/fortinet\/blog\/threat-research\/~4\/rNfW4y_VtUg&#8221; height=&#8221;1&#8243; width=&#8221;1&#8243; alt=&#8221;&#8221;\/&gt;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-17332","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17332","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=17332"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/17332\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=17332"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=17332"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=17332"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}