DEATHRANSOM
DEATHRANSOM is ransomware written in C that has been used since at least 2020, and has potential overlap with FIVEHANDS and HELLOKITTY.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
DEATHRANSOM has the ability to use WMI to delete volume shadow copies.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
DEATHRANSOM can use HTTPS to download files.[1] |
| Enterprise | T1486 | 数据加密以实现影响 |
DEATHRANSOM can use public and private key pair encryption to encrypt files for ransom payment.[1] |
|
| Enterprise | T1083 | 文件和目录发现 |
DEATHRANSOM can use loop operations to enumerate directories on a compromised host.[1] |
|
| Enterprise | T1614 | .001 | 系统位置发现: System Language Discovery |
Some versions of DEATHRANSOM have performed language ID and keyboard layout checks; if either of these matched Russian, Kazakh, Belarusian, Ukrainian or Tatar DEATHRANSOM would exit.[1] |
| Enterprise | T1082 | 系统信息发现 |
DEATHRANSOM can enumerate logical drives on a target system.[1] |
|
| Enterprise | T1490 | 系统恢复抑制 |
DEATHRANSOM can delete volume shadow copies on compromised hosts.[1] |
|
| Enterprise | T1135 | 网络共享发现 |
DEATHRANSOM has the ability to use loop operations to enumerate network resources.[1] |
|
| Enterprise | T1105 | 输入工具传输 |
DEATHRANSOM can download files to a compromised host.[1] |
|