Skip to content


DEATHRANSOM is ransomware written in C that has been used since at least 2020, and has potential overlap with FIVEHANDS and HELLOKITTY.1

Item Value
ID S0616
Associated Names
Version 1.0
Created 02 June 2021
Last Modified 18 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols DEATHRANSOM can use HTTPS to download files.1
enterprise T1486 Data Encrypted for Impact DEATHRANSOM can use public and private key pair encryption to encrypt files for ransom payment.1
enterprise T1083 File and Directory Discovery DEATHRANSOM can use loop operations to enumerate directories on a compromised host.1
enterprise T1105 Ingress Tool Transfer DEATHRANSOM can download files to a compromised host.1
enterprise T1490 Inhibit System Recovery DEATHRANSOM can delete volume shadow copies on compromised hosts.1
enterprise T1135 Network Share Discovery DEATHRANSOM has the ability to use loop operations to enumerate network resources.1
enterprise T1082 System Information Discovery DEATHRANSOM can enumerate logical drives on a target system.1
enterprise T1614 System Location Discovery -
enterprise T1614.001 System Language Discovery Some versions of DEATHRANSOM have performed language ID and keyboard layout checks; if either of these matched Russian, Kazakh, Belarusian, Ukrainian or Tatar DEATHRANSOM would exit.1
enterprise T1047 Windows Management Instrumentation DEATHRANSOM has the ability to use WMI to delete volume shadow copies.1