DeathRansom Ransomware

DeathRansom Ransomware is a threat that, at the time of research, had two different versions. In both cases, the threat was meant to encrypt files and demand a ransom to be paid in return for an alleged decryptor. Although these versions are more similar than different, differences do exist, and we discuss them in this report. We also discuss how this malware spreads, and how you can protect your Windows operating system against it. Of course, our main goal is to help you remove DeathRansom Ransomware from your operating system, and so we also discuss the different options you can choose from to have the dangerous infection deleted. So, if you are interested, please continue reading, and if you have anything you want to ask our malware experts at the end, do not hesitate to leave a comment using the form below.

The malicious DeathRansom Ransomware is also sometimes known as Wacatac Ransomware, and that is because one version of this malware adds the “.wctc” extension to the files it is meant to encrypt. When we analyzed this version, it added the extension, but it did not encrypt files. Hopefully, that is how it works in all cases, and you can check whether or not the file was encrypted by trying to open it. If it reads normally, the file was not encrypted. If it cannot be read, it was encrypted. The second version of the threat did not add an additional extension at all. Both versions used the name “DeathRansom” in the ransom note. In both cases, the name of this file is “read_me.txt,” but the messages are slightly different. The “.wctc” variant delivers a message that instructs to email death@cumallover.me or death@firemail.cc to obtain a file decryptor, but there are not many details about the ransom and its payment. The second version of DeathRansom Ransomware instructs to email deathransom@airmail.cc after the victim pays a ransom of 0.1 BTC – which, at the time of research, was $720 – to the 1J9CG9KtJZVx1dHsVcSu8cxMTbLsqeXM5N wallet.

Communicating with the attackers behind DeathRansom Ransomware is dangerous because you never know what they could send you. In fact, the threat itself is likely to be spread using misleading spam emails, and if that is how it entered your operating system, you must understand just how risky it is to interact with the emails sent by cybercriminals. Unfortunately, when we analyzed the infection, there was no legitimate decryptor that could restore the files corrupted by DeathRansom Ransomware. Some file-encrypting infections can be cracked, but that is not the case with this malware. Of course, if your personal files were not encrypted at all, that is not something you need to worry about. On the other hand, we hope that you have backups that can be used to replace the encrypted files. You want to have backups for every personal file that exists because there are thousands of infections – including Start Ransomware, Grod Ransomware, or MarioLocker Ransomware – that can try to corrupt them. If they succeed, backups can truly save the day. If you do not have backups, and there are no legitimate tools that can help you, you are stuck.

Some victims of DeathRansom Ransomware might think that paying the ransom requested by the attackers is a legitimate option. We cannot know that it is because we are given no guarantees that we would be provided with decryption software after emailing attackers and paying the ransom. Due to this, we believe that the ransomware is used as a scamming instrument, and, therefore, we do not recommend paying the ransom. Hopefully, you can restore files from backup, which you should do after deleting DeathRansom Ransomware from the operating system. According to our malware experts, the threat runs from where it was executed, but, unfortunately, we cannot know where that is. If you can locate and remove the launcher file, you should do it immediately. If manual removal is not the best option, install anti-malware software that can clear the operating system automatically. We strongly recommend taking this route because besides clearing the system, the security software can also reestablish Windows protection.

P.S. Note that if your system remains unprotected, and if you act carelessly (e.g., by opening spam emails), malware will have a much easier time invading your operating system.

DeathRansom Ransomware Removal

1. Locate the {random name}.exe that executed the threat.
2. Right-click the malicious file and then choose Delete.
3. Find the ransom note file named read_me.txt (copies might exist).
4. Right-click the file and then choose Delete.
5. Simultaneously tap keys Win and R on the keyboard to launch Run.
6. Type regedit into the dialog box and click OK to access Registry Editor.
7. Navigate to HKEY_CURRENT_USER\SOFTWARE\.
8. Right-click the key named Wacatac and then choose Delete.
9. Exit Registry Editor and then immediately Empty Recycle Bin.
10. Install a malware scanner that can inspect your system for leftovers.