SYMBOLCOMMON_NAMEaka. SYNONYMS
win.deathransom (Back to overview)

DeathRansom

aka: deathransom, wacatac
VTCollection    

Also known as Wacatac ransomware due to its .wctc extension.

References
2024-04-29cyber5wcyber5w
How to unpack Death Ransomware
DeathRansom
2020-01-06Github (albertzsigovits)Albert Zsigovits
DeathRansom \ Wacatac ransomware
DeathRansom
2020-01-02FortinetArtem Semenchenko, Evengeny Ananin
DeathRansom Part II: Attribution
DeathRansom
2020-01-02FortinetMinh Tran
The Curious Case of DeathRansom: Part I
DeathRansom
2019-11-21ASECASEC Analysis Team
GandCrab Finds DEATHRansom of the Same Appearance Following Nemty in Korea
DeathRansom
2019-11-19ID RansomwareAndrew Ivanov
Wacatac Ransomware
DeathRansom
2019-11-19Twitter (@Amigo_A_)Andrew Ivanov
Tweet on Wacatac Ransomware
DeathRansom
2019-11-19Dissecting MalwareMarius Genheimer
Quick and painless - Reversing DeathRansom / "Wacatac"
DeathRansom
Yara Rules
[TLP:WHITE] win_deathransom_auto (20260504 | Detects win.deathransom.)
rule win_deathransom_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.deathransom."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.deathransom"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b55d8 33c3 03c1 81c216c1a419 03d0 8bcf 0155ec }
            // n = 7, score = 100
            //   8b55d8               | mov                 edx, dword ptr [ebp - 0x28]
            //   33c3                 | xor                 eax, ebx
            //   03c1                 | add                 eax, ecx
            //   81c216c1a419         | add                 edx, 0x19a4c116
            //   03d0                 | add                 edx, eax
            //   8bcf                 | mov                 ecx, edi
            //   0155ec               | add                 dword ptr [ebp - 0x14], edx

        $sequence_1 = { 8d049d00000000 50 6a08 ffd1 50 }
            // n = 5, score = 100
            //   8d049d00000000       | lea                 eax, [ebx*4]
            //   50                   | push                eax
            //   6a08                 | push                8
            //   ffd1                 | call                ecx
            //   50                   | push                eax

        $sequence_2 = { 5f 33c0 5e c3 8b4908 f7d6 }
            // n = 6, score = 100
            //   5f                   | pop                 edi
            //   33c0                 | xor                 eax, eax
            //   5e                   | pop                 esi
            //   c3                   | ret                 
            //   8b4908               | mov                 ecx, dword ptr [ecx + 8]
            //   f7d6                 | not                 esi

        $sequence_3 = { 83c42c 8b4df4 57 53 e8???????? 8b55e4 }
            // n = 6, score = 100
            //   83c42c               | add                 esp, 0x2c
            //   8b4df4               | mov                 ecx, dword ptr [ebp - 0xc]
            //   57                   | push                edi
            //   53                   | push                ebx
            //   e8????????           |                     
            //   8b55e4               | mov                 edx, dword ptr [ebp - 0x1c]

        $sequence_4 = { 5e 5b 8be5 5d c3 8b35???????? 6a04 }
            // n = 7, score = 100
            //   5e                   | pop                 esi
            //   5b                   | pop                 ebx
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   8b35????????         |                     
            //   6a04                 | push                4

        $sequence_5 = { 235ddc 0bd8 895de0 014de0 8b4dc4 8bd1 }
            // n = 6, score = 100
            //   235ddc               | and                 ebx, dword ptr [ebp - 0x24]
            //   0bd8                 | or                  ebx, eax
            //   895de0               | mov                 dword ptr [ebp - 0x20], ebx
            //   014de0               | add                 dword ptr [ebp - 0x20], ecx
            //   8b4dc4               | mov                 ecx, dword ptr [ebp - 0x3c]
            //   8bd1                 | mov                 edx, ecx

        $sequence_6 = { 33c8 8b7de4 03ca 8b5df4 8b55dc 8bc6 }
            // n = 6, score = 100
            //   33c8                 | xor                 ecx, eax
            //   8b7de4               | mov                 edi, dword ptr [ebp - 0x1c]
            //   03ca                 | add                 ecx, edx
            //   8b5df4               | mov                 ebx, dword ptr [ebp - 0xc]
            //   8b55dc               | mov                 edx, dword ptr [ebp - 0x24]
            //   8bc6                 | mov                 eax, esi

        $sequence_7 = { c1e80a 33d0 8b5da0 0355bc 8bcb c1c10e 8bc3 }
            // n = 7, score = 100
            //   c1e80a               | shr                 eax, 0xa
            //   33d0                 | xor                 edx, eax
            //   8b5da0               | mov                 ebx, dword ptr [ebp - 0x60]
            //   0355bc               | add                 edx, dword ptr [ebp - 0x44]
            //   8bcb                 | mov                 ecx, ebx
            //   c1c10e               | rol                 ecx, 0xe
            //   8bc3                 | mov                 eax, ebx

        $sequence_8 = { 8bc3 c1e803 33f8 8b5de0 03fa 8b55ec 037db4 }
            // n = 7, score = 100
            //   8bc3                 | mov                 eax, ebx
            //   c1e803               | shr                 eax, 3
            //   33f8                 | xor                 edi, eax
            //   8b5de0               | mov                 ebx, dword ptr [ebp - 0x20]
            //   03fa                 | add                 edi, edx
            //   8b55ec               | mov                 edx, dword ptr [ebp - 0x14]
            //   037db4               | add                 edi, dword ptr [ebp - 0x4c]

        $sequence_9 = { 3b55fc 8b75f0 1bc0 c1eb10 f7d8 03c1 8b4df8 }
            // n = 7, score = 100
            //   3b55fc               | cmp                 edx, dword ptr [ebp - 4]
            //   8b75f0               | mov                 esi, dword ptr [ebp - 0x10]
            //   1bc0                 | sbb                 eax, eax
            //   c1eb10               | shr                 ebx, 0x10
            //   f7d8                 | neg                 eax
            //   03c1                 | add                 eax, ecx
            //   8b4df8               | mov                 ecx, dword ptr [ebp - 8]

    condition:
        7 of them and filesize < 133120
}
Download all Yara Rules