The latest encryption scheme used by DeathRansom ransomware

A strain of ransomware known as DeathRansom, once considered a joke, is now able to encrypt files using a solid encryption scheme, cybersecurity firm Fortinet reported today.

To make matters worse, ransomware has been backed by a strong distribution campaign, and has been making regular casualties daily for the past two months.

The first versions of DeathRansom did not encrypt anything

The first DeathRansom infections were reported in November 2019. Initial versions of this ransomware were considered a joke. At that time, DeathRansom simply imitated being a ransomware without encrypting any of a user's files.

These early versions would add a file extension to all a user's files and leave a ransom note on the user's computer asking for money.

All this was done in an attempt to trick a victim into paying a ransom claim, without the user realizing that their files were not encrypted.

As reported at that time (1, 2), all a user had to do to recover access to their encrypted files was to remove the second extension of any file.

New version released with a solid encryption scheme

However, work on the DeathRansom code continued, and the newer versions now work as real ransomware.

According to Fortinet, the new DeathRansom strains use a complex combination of the "Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH), Salsa20, RSA-2048, AES-256 ECB key exchange scheme and a simple XOR block algorithm for encrypt files. " (see image above)

While security researchers are still analyzing the DeathRansom encryption scheme to detect implementation failures, the ransomware seems to be using a solid encryption scheme.

Fortinet tracks the author of DeathRansom

But Fortinet's research on DeathRansom was not limited to analyzing the source code of this new malware. The researchers also looked for clues about the author of the ransomware.

By extracting DeathRansom source code strings and websites that distribute ransomware payloads, the Fortinet team was able to successfully link DeathRansom ransomware to a malware operator responsible for a wide range of cybercrime campaigns that date back years behind.

Fortinet said that before creating and distributing DeathRansom, this malware operator had spent his time infecting users with multiple password stealers (Vidar, Azorult, Evrial, 1ms0rryStealer) and cryptocurrency miners (SupremeMiner).

The author of DeathRansom seems to have spent years infecting users with malware, extracting usernames and passwords from their browsers, and selling stolen credentials online, according to several ads Fortinet found in clandestine piracy forums.

These previous malware campaigns left a considerable trail of clues that Fortinet analysts collected. These include the nicknames scat01 and SoftEgorka, the email address vitasa01 (@) yandex.ru, a Russian phone number and the gameshack (.) Ru website (which appears to have been owned and operated by the author of DeathRansom instead if hacked) site).

Using these indicators, the researchers found profiles on Iandex.Market, YouTube, Skype, VK, Instragram and Facebook. All this relates to a young Russian named Egor Nedugov, who lives in Aksay, a small Russian town near Rostov-on-Don.

Previous posts on piracy forums reveal that Nedugov, acting under the username Scat01, had published reviews of malware strains he was currently using, and that Fortinet then tracked and documented in his report, such as Vidar, Evrial and SupremeMiner.

In an extensive two-series report published today, Fortinet lists all of Nedugov's online accounts and the obvious network of connections between them.

Fortinet said he is very sure that they found the right man behind DeathRansom, and that they found even more online profiles of the same actor that they did not include in his report.

In addition, the author of DeathRansom also seems to have broken one of the unwritten rules of the clandestine cybercrime scene to "phishing and cheating his classmates in the forum."

"That's why almost all of his accounts in clandestine forums were finally banned," Fortinet said.

Currently, DeathRansom is distributed through phishing email campaigns. The Fortinet report contains indicators of commitment that companies can include in their security products and prevent corporate systems from becoming infected. Fortinet also said it is still working on analyzing the ransomware encryption scheme to detect possible failures, which they hope to use to create a free decryptor to help past victims.