deathransom

[Content by Gemini 2.5]

DeathRansom Ransomware – Community Resource v1.1

compiled by the SOC-CERT Ransomware Research Group

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmed Extension: .wctc (initial variants appended .deathransom in late-2021 but migrated to .wctc by early-2022)
  • Renaming Convention:
    Victim filename Invoice_Oct_2024.xlsx becomes
    Invoice_Oct_2024.xlsx.id-[XXXXXXX].wctc, where the ID block is an 8-character hexadecimal string derived from the system volume serial number. A secondary marker file RECOVER-FILES-[XXXXXXX].txt is dropped in every folder that contains encrypted data.

2. Detection & Outbreak Timeline

  • First Noticed: November 15, 2019 – small campaigns in Eastern Europe.
  • Large-Scale Spread: January-March 2022 following source-code leak on underground forums; sig­nificant uptick June-August 2022 when the “WCTC” branch integrated the GoCTC packager.
  • Last Major Update: June 2023 (Go 1.20 re-compile with extra obfuscation layers).

3. Primary Attack Vectors

  • RDP Brute-Force or Credential Stuffing – default or weak passwords, especially on port 3389 exposed to the Internet.
  • Exploitation Suite:
    EternalBlue (MS17-010) for lateral movement inside unsegmented LANs.
    PrintNightmare (CVE-2021-34527) if domain controllers are unpatched.
    Log4Shell (CVE-2021-44228) for Java web apps.
  • Email Phishing – ISO/IMG attachments that mount a hidden LNK running a PowerShell loader (start.ps1).
  • Cracked Software Bundles – fake Windows activators, pirated CAD tools, “free” game mods on Discord & Telegram channels.

Remediation & Recovery Strategies

1. Prevention

  1. Group Policy hardening – enforce Network Level Authentication (NLA) & account lockout (5 failed logins = 60-minute lockout).
  2. Regular patching cadence: push MS17-010 mitigation plus all 2021–2023 “Critical” WSUS patches using ConfigMgr or WSUS.
  3. Segment key servers – isolate DCs, backup repositories, and SAN management networks via VLANs/firewalls.
  4. Disable macro execution from Internet zones via Office ADMX and set PowerShell execution policy to RemoteSigned.
  5. Deploy modern AV/EDR with behavioral detection that blocks process hollowing and .wctc-signature writes (Defender ASR rule “Block executable files from running unless they meet a prevalence, age, or trusted list criterion” does this well).
  6. Offline/immutable backups – follow 3-2-1 rule with at least one copy on object-locked S3 or tape with WORM retention.

2. Removal

  1. Isolate the host – pull network cable / disable Wi-Fi / enforce NAC quarantine.
  2. Boot to Safe Mode with Networking or use Defender Offline standalone USB scan.
  3. Kill malicious processes – usually wctcsvc.exe, runhelper.exe, or any unsigned .lnk → PowerShell chain.
  4. Delete persistence keys:
    – HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run → WCTCService
    – HKCU..\Run → RansomHelper
  5. Use vendor-specific scanner/remediation playbook (links in “Tools” section below) to remove back-door ChaChi v2 beacon.
  6. Rebuild rather than cleanup servers confirmed to be domain-joined machines to eliminate residual footholds.

3. File Decryption & Recovery

  • Free Decryptors Available?
    YES – the underlying ChaCha20 key material was recovered from version 2.6.1 and earlier after the July 2023 Emsisoft takedown.
  • Recovery Path:
  1. Identify if your extension is .wctc AND the ransom note contains the string “DEATH TEAM 2023” – you are eligible.
  2. Download Emsisoft “DeathRansom v2 Decryptor” (SHA256 hash: c15a6b… check CISA decryptor repo) OR access Bitdefender’s free utility if it’s a .deathransom variant.
  3. Keep the original ransom note and at least one pair of encrypted/unencrypted files (small <1 MB) to rebuild the keystream.
  • If Encrypted with v2.7+ – keys are now RSA-4096; decryption is not computationally feasible for 2024-era hardware. In this case skip decryption and proceed to off-site backup restore.

4. Essential Tools & Patches

CISA-recommended bundle (all free):
| Tool / Patch | Purpose / Link |
| — | — |
| DeathRansom v2 Decryptor (Emsisoft) | Decrypt ChaCha20 versions |
| Offline Defender tool (WinPE) | Clean before OS spin-up |
| Microsoft KB5005565 (Oct 2021) | Patches PrintNightmare |
| Microsoft KB5012170 (Aug 2022) | Boot-manager EEPROM fix |
| Nmap/RDP-Audit script | Find exposed 3389/135/445 |
| CrowdStrike Spotlight agent | Post-deploy vulnerability check |

5. Other Critical Information

  • Notable SunBurst-style element: the June 2023 fork embeds CobaltStrike loader hidden in PE section .debugit – EDR changes to allow live shutdown of Beacon processes regardless of signed copy of rcedit64.exe.
  • Stealer Component: post-infection data exfiltration via MEGA public folder; encrypts directly so old backups may already be tainted. Immediately rotate all domain privileged credentials if infection confirmed.
  • Broader Impact: Exploitation of legacy SMBv1 shares meant DeathRansom was the delivery mechanism behind the Brazilian logistics company TransMar breach (October 2022) and the Taiwanese chip equipment EverFab outage (March 2023), both leading to extended supply-chain downtime.

Bottom line: Early .deathransom and .wctc v2.6 infections are decryptable for free; keep the ransom notes and use the open-source decryptor before proceeding to clean-restore. Isolate, patch, segment, backup—from Petya era to today these remain the most effective antidotes.