Overview
The DeathGrip ransomware group, which emerged in June 2024, represents a growing and troubling trend in the world of cybercrime—one where even less experienced threat actors can access sophisticated tools to launch high-impact ransomware attacks. Operating as a Ransomware-as-a-Service (RaaS), DeathGrip offers its clients a platform to deploy ransomware, using popular and powerful builders such as LockBit 3.0 and Yashma/Chaos. This ease of access to advanced ransomware tools has lowered the barrier to entry, allowing a wider range of cybercriminals to participate in extortion campaigns that can cause significant disruption. By leveraging Telegram and underground forums for marketing its services, DeathGrip quickly gained traction, posing a new and potent threat to organizations around the world.
What sets DeathGrip apart from other ransomware groups is its business model. Unlike traditional cybercriminal operations that directly carry out ransomware attacks, DeathGrip operates on the RaaS model, providing ransomware tools to other threat actors. This service allows individuals with little to no technical expertise to launch ransomware attacks with professional-grade encryption and evasion techniques. By using leaked builders such as LockBit 3.0, DeathGrip ensures that its clients are equipped with well-tested and highly effective ransomware strains that have a proven track record in causing widespread damage. This low-barrier-to-entry model has caused a surge in ransomware attacks, as even small-time operators can now launch devastating campaigns.
Common targets
Information
Individuals
Attack Vectors
Software Vulnerabilities
How they operate
As a Ransomware-as-a-Service (RaaS) group, DeathGrip offers cybercriminals access to sophisticated ransomware builders such as LockBit 3.0 and Yashma/Chaos, which allows even those with limited technical expertise to deploy ransomware campaigns. The group’s primary method of operation involves distributing ransomware payloads through bundled self-extracting files, typically in the form of .scr files. Once executed, these files retrieve the actual ransomware payload from a remote server, enabling DeathGrip to deploy ransomware on targeted systems effectively.
The ransomware itself employs robust encryption methods, including the AES-256 CGM algorithm, to ensure that victim files are securely encrypted and rendered inaccessible without the decryption key. One of DeathGrip’s notable features is its ability to selectively encrypt files based on extensions, which allows attackers to target specific types of data while leaving other files untouched. Additionally, DeathGrip disables backups and restore points, further complicating recovery efforts for the victim. This makes it difficult for organizations to recover from the attack without paying the ransom, further incentivizing the victim to comply with the demands.
A key technical aspect of DeathGrip’s operation is its ability to evade detection by employing various anti-analysis techniques. The ransomware is designed to bypass User Account Control (UAC) to gain elevated privileges on infected systems, ensuring that it has the necessary access to execute its encryption payload. DeathGrip also includes anti-emulation and anti-sandbox features, which are specifically intended to prevent the ransomware from being analyzed in controlled environments such as sandboxes. These anti-analysis measures make it more challenging for security researchers to reverse-engineer the ransomware and develop countermeasures. Furthermore, DeathGrip includes anti-virtual machine (VM) functionality, making it harder for automated security tools to detect the ransomware during analysis.
Once the ransomware has successfully infected a system, DeathGrip takes steps to maintain persistence within the victim’s network. It achieves this by creating a startup task manager entry, ensuring that the ransomware runs each time the system is rebooted. It also includes functionality to disable certain Windows services and processes that may interfere with the encryption process. Additionally, the ransomware often includes customized file properties and icons, making its presence less noticeable to the victim. This persistence strategy allows DeathGrip to operate over an extended period, further complicating the victim’s recovery efforts.
DeathGrip also demonstrates flexibility in its attack methods by targeting specific regions. It includes anti-CIS (Commonwealth of Independent States) measures to avoid infecting systems in countries within that region. This level of customization allows DeathGrip to tailor its attacks to different geographical areas, maximizing the impact of its ransomware campaigns. The ransomware’s modular structure and customization options make it a versatile tool for threat actors who want to conduct tailored, high-impact attacks.
In summary, DeathGrip’s technical operations are centered around delivering highly effective ransomware payloads that are designed to evade detection, encrypt valuable files, and maintain persistence within a compromised network. Its use of sophisticated encryption methods, anti-analysis techniques, and targeted attack capabilities make it a potent and dangerous threat to organizations of all sizes. As the Ransomware-as-a-Service model continues to gain traction, DeathGrip exemplifies the growing threat of cybercrime operations that are increasingly accessible and capable of causing widespread damage.
References:
