Request a Demo
Rewterz
Rewterz Threat Alert – APT37 Thallium Broadens Target Industries Around the Globe
January 2, 2020
Rewterz
Rewterz Threat Advisory – Cisco NX-OS and Switches – Critical Vulnerabilities
January 6, 2020

Rewterz Threat Alert – DeathRansom Ransomware Encrypting Files – IoCs

Severity

High

Analysis Summary

DeathRansom has finally succeeded at encrypting files. At a high level, this ransomware follows a sensible design: it scans and encrypts files on local and network drives. To enumerate network resources, the malware uses standard Windows APIs (WNetOpenEnumW, WNetEnumResourceW etc.) It recursively scans network resources until it hits a normal directory, at which point it processes it like a directory (processDir). 
Following alterations have been made:
 

  • Excluding important Windows folders (Program Files, Windows, etc) to avoid rendering the system unusable 
  • When it comes to files, similar checks also occur. 
  • DeathRansom also avoids “encrypting” the systems files (ntuser.dat, etc)

The new version of this ransomware uses a combination of Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm to encrypt files.

Impact

Files Encryption

Indicators of Compromise

Domain name

  • scat01[.]mcdir[.]ru
  • gameshack[.]ru
  • scat01[.]tk

MD5

  • a35596ed0bfb34de4e512a3225f8300a
  • 8ea78e5a123c13c3bda144d0fcf430c0
  • c50ab1df254c185506ab892dc5c8e24b
  • 6bf9bfc6253a598608a1ca7d0210689e
  • bde63acffd021580fe7c7f25243c9330
  • b7e323ac9390f0d81d18557fddaef4cf
  • c4964c9c2418d0a134130dab8f4cd1b8
  • 48f1200a88db21ca4a16dc908024f0f9
  • fdcdfc8eecff8eebd671cf934423710e
  • f9363e88fde74b43bd7da4528369d7e5
  • 886ee5834ae019a5c8bce4326b88cfb7
  • 38f52fac57482d77b960faff79f44474
  • 262fdac1291740ba9408d06da265dd9f
  • 4ba2e1d4cf7a86753f9f8174b3bc74c8
  • 74a30661098e0950ec845a54ad7059c6

SHA-256

  • 7c2dbad516d18d2c1c21ecc5792bc232f7b34dadc1bc19e967190d79174131d1
  • 13d263fb19d866bb929f45677a9dcbb683df5e1fa2e1b856fde905629366c5e1
  • ab828f0e0555f88e3005387cb523f221a1933bbd7db4f05902a1e5cc289e7ba4
  • dc9ff5148e26023cf7b6fb69cd97d6a68f78bb111dbf39039f41ed05e16708e4
  • 1e1fcb1bcc88576318c37409441fd754577b008f4678414b60a25710e10d4251
  • 4bc383a4daff74122b149238302c5892735282fa52cac25c9185347b07a8c94c
  • 05b762354678004f8654e6da38122e6308adf3998ee956566b8f5d313dc0e029
  • a45a75582c4ad564b9726664318f0cccb1000005d573e594b49e95869ef25284
  • 6247f283d916b1cf0c284f4c31ef659096536fe05b8b9d668edab1e1b9068762
  • 2b9c53b965c3621f1fa20e0ee9854115747047d136529b41872a10a511603df8
  • fedb4c3b0e080fb86796189ccc77f99b04adb105d322bddd3abfca2d5c5d43c8
  • 0cf124b2afc3010b72abdc2ad8d4114ff1423cce74776634db4ef6aaa08af915
  • f78a743813ab1d4eee378990f3472628ed61532e899503cc9371423307de3d8b
  • 66ee3840a9722d3912b73e477d1a11fd0e5468769ba17e5e71873fd519e76def
  • e767706429351c9e639cfecaeb4cdca526889e4001fb0c25a832aec18e6d5e06

URL

  • hxxp://iplogger[.]org/1Zqq77
  • hxxps://iplogger[.]org/1Zqq77

Remediation

  • Block the threat indicators at their respective controls.
  • Do not download files attached in untrusted emails.
  • Do not download software from random sources on the internet.