DeathGrip | |
Date of Initial Activity | 2024 |
Suspected Attribution | Ransomware Group |
Location | Unknown |
Motivation | Financial Gain |
Software | Windows |
Overview
Common targets
Information
Individuals
Attack Vectors
Software Vulnerabilities
How they operate
As a Ransomware-as-a-Service (RaaS) group, DeathGrip offers cybercriminals access to sophisticated ransomware builders such as LockBit 3.0 and Yashma/Chaos, which allows even those with limited technical expertise to deploy ransomware campaigns. The group’s primary method of operation involves distributing ransomware payloads through bundled self-extracting files, typically in the form of .scr files. Once executed, these files retrieve the actual ransomware payload from a remote server, enabling DeathGrip to deploy ransomware on targeted systems effectively.
The ransomware itself employs robust encryption methods, including the AES-256 CGM algorithm, to ensure that victim files are securely encrypted and rendered inaccessible without the decryption key. One of DeathGrip’s notable features is its ability to selectively encrypt files based on extensions, which allows attackers to target specific types of data while leaving other files untouched. Additionally, DeathGrip disables backups and restore points, further complicating recovery efforts for the victim. This makes it difficult for organizations to recover from the attack without paying the ransom, further incentivizing the victim to comply with the demands.
A key technical aspect of DeathGrip’s operation is its ability to evade detection by employing various anti-analysis techniques. The ransomware is designed to bypass User Account Control (UAC) to gain elevated privileges on infected systems, ensuring that it has the necessary access to execute its encryption payload. DeathGrip also includes anti-emulation and anti-sandbox features, which are specifically intended to prevent the ransomware from being analyzed in controlled environments such as sandboxes. These anti-analysis measures make it more challenging for security researchers to reverse-engineer the ransomware and develop countermeasures. Furthermore, DeathGrip includes anti-virtual machine (VM) functionality, making it harder for automated security tools to detect the ransomware during analysis.
Once the ransomware has successfully infected a system, DeathGrip takes steps to maintain persistence within the victim’s network. It achieves this by creating a startup task manager entry, ensuring that the ransomware runs each time the system is rebooted. It also includes functionality to disable certain Windows services and processes that may interfere with the encryption process. Additionally, the ransomware often includes customized file properties and icons, making its presence less noticeable to the victim. This persistence strategy allows DeathGrip to operate over an extended period, further complicating the victim’s recovery efforts.
DeathGrip also demonstrates flexibility in its attack methods by targeting specific regions. It includes anti-CIS (Commonwealth of Independent States) measures to avoid infecting systems in countries within that region. This level of customization allows DeathGrip to tailor its attacks to different geographical areas, maximizing the impact of its ransomware campaigns. The ransomware’s modular structure and customization options make it a versatile tool for threat actors who want to conduct tailored, high-impact attacks.
In summary, DeathGrip’s technical operations are centered around delivering highly effective ransomware payloads that are designed to evade detection, encrypt valuable files, and maintain persistence within a compromised network. Its use of sophisticated encryption methods, anti-analysis techniques, and targeted attack capabilities make it a potent and dangerous threat to organizations of all sizes. As the Ransomware-as-a-Service model continues to gain traction, DeathGrip exemplifies the growing threat of cybercrime operations that are increasingly accessible and capable of causing widespread damage.
References:
