Threat Research

DeathGrip RaaS: Minor Threat Actors Target Ambitious Goals with LockBit and Yashma Builders

Securonix

DeathGrip marks a rising ransomware-as-a-service operation that leverages publicly available builders like LockBit 3.0 and Yashma/Chaos to enable less-skilled actors to deploy sophisticated ransomware campaigns. Promoted on Telegram, it combines advanced encryption, security evasion, and system manipulation with low ransom demands, signaling a broader commoditization of ransomware. #DeathGrip #LockBit3 #YashmaChaos #Telegram #BrainCipher #NationalDataCenter #Indonesia

Keypoints

  • Emergence of DeathGrip Ransomware: Debuted in June 2024 as a RaaS model.
  • Accessibility of Ransomware Tools: Tools like LockBit 3.0 and Yashma/Chaos are easily available on the dark web.
  • Promotion via Telegram: DeathGrip uses Telegram channels to advertise its services.
  • Advanced Features: Includes AES-256 CGM encryption, UAC bypass, and system manipulation capabilities.
  • Low Ransom Demands: Ransom amounts typically range from $100 to $1000, lower than many large-scale operations.
  • Indicators of Compromise: Specific SHA1 hashes and network URLs associated with DeathGrip payloads are identified.
  • Operational Modus Operandi: Uses self-extracting bundles, droppers, and remote staging servers; variants include LockBit-based and Chaos/Yashma-based payloads running from Telegram-promoted distributions.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – Encrypts files on infected systems. ‘DeathGrip ransomware encrypts files on infected systems.’
  • [T1124] System Time Discovery – May utilize system time for ransom note timestamps. ‘May utilize system time for ransom note timestamps.’
  • [T1082] Volume Shadow Copy Discovery – Manipulates Volume Shadow Copies to prevent recovery. ‘Manipulates Volume Shadow Copies to prevent recovery.’
  • [T1565] Data Manipulation – Modifies file extensions to indicate encryption (.deathgrip or .DeathGrip). ‘Modifies file extensions to indicate encryption (.deathgrip or .DeathGrip).’
  • [T1098] Account Manipulation – May disable user accounts or services to hinder recovery efforts. ‘May disable user accounts or services to hinder recovery efforts.’

Indicators of Compromise

  • [SHA1] DeathGrip (LockBit) context – 2d566a2b94fc8b16b97200392db1bbe714c31289, 560065e8fbc3eb7743c74d3300d73db16141fd1f, and 3 more hashes
  • [Network] DeathGrip C2 / payload hosting – https://master-repogen.vercel.app/file/server.scr, https://master-repogen.vercel.app/file/tmk.scr

Read more: https://www.sentinelone.com/blog/deathgrip-raas-small-time-threat-actors-aim-high-with-lockbit-yashma-builders/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint