Latest ransomware known as DeathRansom began with a shaky beginning, but has solved the issues now, starting to infect victims and encrypting their files. Latest DeathRansom Ransomware starts to name itself.

Once DeathRansom was first released, it counterfeit to encrypt files, but researchers and users discovered that they could just delete the appended .wctc extension and the files would become available again.

Nonetheless, everything shifted from around November 20, 2019. Not only were the documents of the user potentially being compromised, but on the ransomware tracking page, ID Ransomware, there was a spike submissions linked to DeathRansom.


As explained by Fortinet, there is a new version of DeathRansom , and the primary change is that the malware now actually encrypts files. The new version of this ransomware uses a combination of Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm to encrypt files.

DeathRansom the latest Discovered Ransomware


While the figures have decreased since that initial surge, we still see a steady trickle of new victims, which indicates that a successful delivery program is most likely going on. Unfortunately, we haven't discovered how this Ransomware is being spread.

What we do learn

Unlike the previous non-encryption worm, the operating DeathRansom versions do not append an extension for encrypted files and instead maintain their original name. The data in those files is encrypted. Encrypted data, The only way to identify that the data is encrypted by DeathRansom is to use the ABEFCDAB document label appended to the end of encrypted files.

In every directory where a file is infected, ransomware can generate a ransom note called readme.txt which includes a special "LOCK-ID" for the user and an email address to contact the ransomware author or associate. DeathRansom is still being examined and it is not clear whether it can be decrypted at this point.


One strange thing that has been found is that several people who have been infected with DeathRansom have also been infected with STOP Ransomware. This is shown in one Reddit article and many posts to ID-Ransomware where a ransom note and an encoded folder of STOP Dejavu were submitted by the user as part of the same submission.

As STOP Ransomware is only spread through adware bundles and cracks, it is possible the DeathRansom may be transmission somehow in same way.