DEATHRANSOM

Malware updated 3 months ago (2024-08-12T15:17:40.909Z)

Download STIX

Preview STIX

**Executive Summary on DeathRansom Malware** DeathRansom is a malicious software strain that emerged in October 2020, characterized by its ability to encrypt files and demand ransom payments from victims. It has been linked to various ransomware families, including HelloKitty and Fivehands, which have targeted significant entities such as the Polish video game developer CD Projekt Red and VMware ESXi servers. The malware exploits vulnerabilities through suspicious downloads or email attachments, infiltrating systems without user consent and holding critical data hostage. The technical analysis reveals that DeathRansom is primarily written in C, distinguishing it from HelloKitty and Fivehands, which utilize C++. All three ransomware variants share several features, such as symmetric encryption methods (AES) and directory exclusion lists to avoid encrypting system-critical files. However, DeathRansom uniquely conducts external HTTPS connections for additional payloads, while Fivehands employs a memory-only dropper mechanism that requires specific command-line arguments for decryption, showcasing an evolution in ransomware deployment strategies. Since its identification, DeathRansom has demonstrated a high level of sophistication and adaptability, with versions that alter file extensions and include unique functionalities like mutex checks and locale validation. Mandiant's observations indicate a persistent threat from this malware family, emphasizing the need for robust cybersecurity measures to mitigate risks associated with ransomware attacks targeting both individual users and large organizations.

Description last updated: 2024-08-12T14:39:50.275Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
FIVEHANDS is a possible alias for DEATHRANSOM. FiveHands, also known as HelloKitty, is a sophisticated form of malware that primarily targets financial institutions. It was first reported by Mandiant in April 2021 as part of a cyber threat posed by the UNC2447 group. The ransomware is typically delivered through Encryptor.exe, a loader that init	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The HELLOKITTY Malware is associated with DEATHRANSOM. HelloKitty is a malicious software (malware) that has been designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operations, or even hold dat	Unspecified	2

Source Document References

Information about the DEATHRANSOM Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Preview	Source Link	CreatedAt	Title
	CERT-EU	a year ago	HelloKitty ransomware source code exposed
	MITRE	2 years ago	UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat \| Mandiant