S0616 DEATHRANSOM
DEATHRANSOM is ransomware written in C that has been used since at least 2020, and has potential overlap with FIVEHANDS and HELLOKITTY.1
| Item | Value |
|---|---|
| ID | S0616 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 02 June 2021 |
| Last Modified | 18 October 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | DEATHRANSOM can use HTTPS to download files.1 |
| enterprise | T1486 | Data Encrypted for Impact | DEATHRANSOM can use public and private key pair encryption to encrypt files for ransom payment.1 |
| enterprise | T1083 | File and Directory Discovery | DEATHRANSOM can use loop operations to enumerate directories on a compromised host.1 |
| enterprise | T1105 | Ingress Tool Transfer | DEATHRANSOM can download files to a compromised host.1 |
| enterprise | T1490 | Inhibit System Recovery | DEATHRANSOM can delete volume shadow copies on compromised hosts.1 |
| enterprise | T1135 | Network Share Discovery | DEATHRANSOM has the ability to use loop operations to enumerate network resources.1 |
| enterprise | T1082 | System Information Discovery | DEATHRANSOM can enumerate logical drives on a target system.1 |
| enterprise | T1614 | System Location Discovery | - |
| enterprise | T1614.001 | System Language Discovery | Some versions of DEATHRANSOM have performed language ID and keyboard layout checks; if either of these matched Russian, Kazakh, Belarusian, Ukrainian or Tatar DEATHRANSOM would exit.1 |
| enterprise | T1047 | Windows Management Instrumentation | DEATHRANSOM has the ability to use WMI to delete volume shadow copies.1 |