{ "id": "6aa1ac8b-bb97-4074-9001-c244b603e081", "created_at": "2026-04-06T00:12:38.474367Z", "updated_at": "2026-04-10T13:12:04.904348Z", "deleted_at": null, "sha1_hash": "2d3411628664806e4c644ffa3c62139f43c7e98c", "title": "Quick and painless - reversing deathransom /", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 682496, "plain_text": "Quick and painless - reversing deathransom /\r\nBy f0wL\r\nPublished: 2019-11-19 · Archived: 2026-04-05 15:26:13 UTC\r\nTue 19 November 2019 in Ransomware\r\nNo flashy wallpapers or other bells and whistles, but if you aren't careful and maintain backups as you should\r\nDeathRansom will take your data with it to its grave. Or will it ?\r\nA general disclaimer as always: downloading and running the samples linked below will lead to the encryption\r\nof your personal data, so be f$cking careful. Also check with your local laws as owning malware binaries/\r\nsources might be illegal depending on where you live.\r\nDeathRansom @ AnyRun | VirusTotal | HybridAnalysis --\u003e sha256\r\n3a5b015655f3aad4b4fd647aa34fda4ce784d75a20d12a73f8dc0e0d866e7e01\r\nThe plain text note doesn't look that special. I'll be refering to this strain as Deathransom, since the Wacatac Trojan\r\ndoesn't seem to be affiliated with the sample.\r\nhttps://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html\r\nPage 1 of 9\n\nThe \"Wacatac\" Registry Keys are most likely an attempt at a false flag manouver. The Ransomware will set three\r\nRegkeys in total: The main Key HKEY_CURRENT_USER\\SOFTWARE\\Wacatac and two sub keys called\r\nprivate and public. The hex value set in the \"private\" acutally corresponds to the Lock ID referenced in the\r\nRansomnote. Analysing the encryption loop will probably present the relation between these values, so I'll keep\r\ngoing.\r\nhttps://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html\r\nPage 2 of 9\n\nSomewhat of a rare occurance, but Deathransom will actually take out the trash for you by clearing the recycling\r\nbin.\r\nhttps://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html\r\nPage 3 of 9\n\nGenerally this sample seems to be very limited in features, but let's see how they implemented the encryption\r\nroutine. Looking for CreateFileW we can see that it appends the .wctc extension to the name of the current file.\r\nBut where's the encryption happening? Either they hid it very well or they just plainly forgot about it 🤔\r\nLet's just fire up a VM and see what happens to the files after the encryption takes place so we have a better idea\r\nof what to look for. I got no UAC prompt upon running the sample and the ransom process seemed a bit fast.\r\nChecking out the sample files we can see what actually happened:\r\nhttps://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html\r\nPage 4 of 9\n\nExactly, nothing. I don't want to jump to conclusions here, but this strain might still be in the testing stage or is\r\njust a plain hoax. Regardless it is still possible that another variant turns up that will actually encrypt the files.\r\nUpdate 25.11.2019:\r\nAs predicted there is another version of the Ransomware available now and it seems to do its job a lot more\r\nthorough than its predecessor. The new build doesn't seem to append a new suffix to the file and the ransomnote\r\nhas been adapted slightly because it now features a Bitcoin wallet address and a new E-Mail contact.\r\nDeathRansom V2 @ AnyRun --\u003e sha256\r\nfedb4c3b0e080fb86796189ccc77f99b04adb105d322bddd3abfca2d5c5d43c8\r\nEntropy-wise the sample doesn't seem to be packed and nor are there any weird sections or paddings. Compiler\r\nand Linker Versions point towards Visual Studio 2013 being utilized by the creators.\r\nhttps://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html\r\nPage 5 of 9\n\nLooking at the packets captured during the dynamic analysis we notice a DNS request plus TCP traffic to\r\niplogger[.]org which was not present in the first Version of the Ransomware. Looks like the criminals are trying to\r\ntrack infections over time.\r\nAccording to Blockchain.com the Bitcoin Wallet mentioned in the V2 Ransomnote doesn't have any transactions\r\non it as of the 30th of November, which is really good news :)\r\nIOCs\r\nDeathRansom\r\ndeathransom.exe --\u003e SHA256: 7c2dbad516d18d2c1c21ecc5792bc232f7b34dadc1bc19e967190d79174131d1\r\n SSDEEP: 1536:gZVYb2bbBisyEcPC00h7sBvvKk+jTc7+T8l7RJV62CzVDL+oWB27evMCUQ:EV+GiVEc6\r\nfyukfuyk.exe --\u003e SHA256: ab828f0e0555f88e3005387cb523f221a1933bbd7db4f05902a1e5cc289e7ba4\r\n SSDEEP: 6144:f849/IB5jZozuL1itPJAOsF0l+t5Dn0ChC:f8kIB5jZyNVJWF0AHDC\r\n2p1km7pr6l.exe --\u003e SHA256: fedb4c3b0e080fb86796189ccc77f99b04adb105d322bddd3abfca2d5c5d43c8\r\n 3072:ou1DaA5w1KmC5RjPquqavANItF2rv8ojAjAD5m9:Kb6Lq8wHUoe\r\nE-Mail Addresses\r\ndeath@firemail[.]cc\r\ndeath@cumallover[.]me\r\nhttps://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html\r\nPage 6 of 9\n\ndeathransom@airmail[.]cc\r\nRegistry Keys\r\nHKEY_CURRENT_USER\\SOFTWARE\\Wacatac\r\nHKEY_CURRENT_USER\\SOFTWARE\\Wacatac\\public\r\nFA DE 13 AA 52 43 DF 85 B2 62 A5 88 1D 17 D0 59 99 BF 6B 69 5F 71 1C 76 D4 4A 36 86 B6 47 CA D4 A2\r\nHKEY_CURRENT_USER\\SOFTWARE\\Wacatac\\private\r\n03 F0 D6 A3 0B D6 45 0A EF 50 65 59 2F 55 95 C7 3D C9 5F C1 FC 04 69 68 32 47 74 BD F9 72 43 13 4D\r\nRansomnote Version 1\r\n --= DEATHRANSOM =---\r\n***********************UNDER NO CIRCUMSTANCES DO NOT DELETE THIS FILE, UNTIL ALL YOUR DATA IS RECOVER\r\n *****FAILING TO DO SO, WILL RESULT IN YOUR SYSTEM CORRUPTION, IF THERE ARE DECRYPTION ERRORS*****\r\nAll your files, documents, photos, databases and other important\r\nfiles are encrypted.\r\nYou are not able to decrypt it by yourself! The only method\r\nof recovering files is to purchase an unique private key.\r\nOnly we can give you this key and only we can recover your files.\r\nTo be sure we have the decryptor and it works you can send an\r\nemail death@firemail.cc and decrypt one file for free. But this\r\nfile should be of not valuable!\r\nDo you really want to restore your files?\r\nWrite to email\r\n death@cumallover[.]me\r\n death@firemail[.]cc\r\nYour LOCK-ID: [Redacted Base64]\r\n\u003e\u003e\u003eHow to obtain bitcoin:\r\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', an\r\nhttps://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html\r\nPage 7 of 9\n\nhxxps://localbitcoins[.]com/buy_bitcoins\r\nAlso you can find other places to buy Bitcoins and beginners guide here:\r\nhxxp://www.coindesk[.]com/information/how-can-i-buy-bitcoins/\r\n\u003e\u003e\u003e Free decryption as guarantee!\r\nBefore paying you send us up to 1 file for free decryption.\r\nWe recommeded to send pictures, text files, sheets, etc. (files no more than 1mb)\r\nIN ORDER TO PREVENT DATA DAMAGE:\r\n1. Do not rename encrypted files.\r\n2. Do not try to decrypt your data using third party software, it may cause permanent data loss.\r\n3. Decryption of your files with the help of third parties may cause increased price (they add their\r\nour) or you can become a victim of a scam.\r\nRansomnote Version 2\r\n?????????????????????????\r\n??????DEATHRansom ???????\r\n?????????????????????????\r\nHello dear friend,\r\nYour files were encrypted!\r\nYou have only 12 hours to decrypt it\r\nIn case of no answer our team will delete your decryption password\r\nWrite back to our e-mail: deathransom@airmail[.]cc\r\nIn your message you have to write:\r\n1. YOU LOCK-ID: PUmZiYT3OkC9IpVXHpZFOFzZ5Y7+dLuV9cYUSZ30UyPLeMPEPO4TZ79CCCbiTpSltqKKBv3oFqgH0O6lyre7h\r\n2. Time when you have paid 0.1 btc to this bitcoin wallet:\r\n1J9CG9KtJZVx1dHsVcSu8cxMTbLsqeXM5N\r\nAfter payment our team will decrypt your files immediatly\r\nhttps://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html\r\nPage 8 of 9\n\nFree decryption as guarantee:\r\n1. File must be less than 1MB\r\n2. Only .txt or .lnk files, no databases\r\n3. Only 1 files\r\nHow to obtain bitcoin:\r\nThe easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', an\r\nhxxps://localbitcoins[.]com/buy_bitcoins\r\nAlso you can find other places to buy Bitcoins and beginners guide here:\r\nhxxp://www.coindesk[.]com/information/how-can-i-buy-bitcoins/\r\nGallow Icon made by Freepik from www.flaticon.com\r\nSource: https://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html\r\nhttps://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html" ], "report_names": [ "quick-and-painless-reversing-deathransom-wacatac.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434358, "ts_updated_at": 1775826724, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/2d3411628664806e4c644ffa3c62139f43c7e98c.pdf", "text": "https://archive.orkl.eu/2d3411628664806e4c644ffa3c62139f43c7e98c.txt", "img": "https://archive.orkl.eu/2d3411628664806e4c644ffa3c62139f43c7e98c.jpg" } }