What is DeathRansom?
DeathRansom (S0616) is a ransomware strain. It operates as a Ransomware-as-a-Service (RaaS). When it appeared in 2019, it was ‘scareware’ renaming files but not encrypting them.
That changed quickly. It evolved into a functional threat. Now, it uses the Salsa20 algorithm to lock data. It targets recovery options. It deletes Volume Shadow Copies. This ensures victims cannot restore data without paying. It typically spreads through social engineering or by exploiting weak remote access credentials.
How to Defend Against DeathRansom?
Defending against DeathRansom requires a combination of strict access controls, data redundancy, and network monitoring.
- Maintain offline backups of critical data. Since DeathRansom targets local shadow copies, offline backups are your only reliable recovery method.
- Secure Remote Desktop Protocol (RDP) ports. Brute-forcing weak RDP credentials is a common entry point. Lock them down.
- Deploy endpoint detection. Identify the ransomware payload immediately. Stop the process before it deletes shadow copies.
- Use network detection (NDR). Spot and block the initial payload download. Detect Command and Control (C2) beacons before encryption begins.
- Integrate threat intelligence. Stay updated on the latest Indicators of Compromise (IoCs) from DeathRansom affiliates.
