Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0616: DEATHRANSOM

DEATHRANSOM is ransomware written in C that has been used since at least 2020, and has potential overlap with FIVEHANDS and HELLOKITTY.[1]

EnterpriseS0616MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

DEATHRANSOM is a Windows ransomware family, written in C, documented as used since at least 2020. Its ATT&CK relationships matter because they map the ransomware problem beyond file encryption: discovery of files, storage, language, and network shares; web-protocol command-and-control; tool transfer; WMI-based execution; encryption for impact; and actions that inhibit recovery. For leaders, the practical question is whether the organization can see and contain the activity before shared data, endpoints, and recovery paths are affected.

Executive priority

Treat this as a ransomware readiness validation item rather than only a malware name. The ATT&CK relationships point to business-continuity risk around Windows endpoint execution, network share exposure, backup and recovery resilience, and SOC visibility into common administrative channels such as WMI and web traffic. Executives should ask whether ransomware playbooks prove three things: early detection of discovery and tool transfer, isolation of affected Windows systems and shares, and recoverability if local recovery mechanisms are disabled or deleted.

Technical view

For SOC, detection engineering, and IR teams, DEATHRANSOM coverage should be assessed through its mapped behaviors: T1047 Windows Management Instrumentation for execution, T1071.001 Web Protocols for command-and-control, T1105 Ingress Tool Transfer, T1083 File and Directory Discovery, T1135 Network Share Discovery, T1614.001 System Language Discovery, T1680 Local Storage Discovery, T1486 Data Encrypted for Impact, and T1490 Inhibit System Recovery. Because the official ATT&CK object provides no detection text and no object-level tactics, teams should validate behavior-based controls rather than rely on a named signature alone.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry, especially for WMI-related execution activity
  • WMI event logs and remote administration activity where collected
  • Network proxy, DNS, firewall, and TLS metadata for web-protocol command-and-control patterns
  • Endpoint file system activity showing high-volume file enumeration, modification, or encryption-like behavior
  • SMB and file server access logs for network share discovery and unusual access breadth

Detection direction

  • Validate that detections cover behavior sequences, not just individual indicators: discovery of files/shares/storage followed by tool transfer, WMI execution, and mass file modification is more meaningful than any one event alone.
  • Tune WMI detections against known administrative tooling and service accounts to reduce false positives while still surfacing unusual remote or scripted execution.
  • Review web-protocol monitoring for external communications that blend into normal HTTP/S traffic; ATT&CK notes this can be used to avoid simple network filtering.
  • Confirm that file server and endpoint telemetry can distinguish ordinary user browsing from broad share enumeration or rapid access across many directories.
  • Test alerting for recovery inhibition separately from encryption alerts; loss of recovery options can materially change incident severity and restoration timelines.

Mitigation priorities

  • Prioritize resilient, tested backups and recovery processes that are protected from endpoint-level tampering.
  • Restrict and monitor WMI and other remote administration paths, especially for accounts that can execute across Windows systems.
  • Limit unnecessary network share exposure and enforce least-privilege access to shared data repositories.
  • Maintain egress controls and monitoring for web-protocol traffic, with attention to suspicious downloads and command-and-control-like behavior.
  • Harden endpoint controls against unauthorized tool transfer and execution, and ensure rapid isolation procedures are available during ransomware investigations.
Analyst notes and limits

The most decision-useful content in the supplied ATT&CK data is the relationship set: it links DEATHRANSOM to execution, discovery, command-and-control, ingress transfer, encryption impact, and recovery inhibition behaviors. The official description also notes potential overlap with FIVEHANDS and HELLOKITTY, but that should be treated as contextual intelligence rather than attribution or proof of shared operations.

The supplied ATT&CK object does not provide official detection text, aliases, labels, or object-level tactics. Platform support for the malware object is Windows; related techniques may list broader platforms, but those should not be assumed for DEATHRANSOM without local evidence. This take does not assert active exploitation, current prevalence, attribution, or guaranteed detection coverage.

Official MITRE ATT&CK definition

DEATHRANSOM

DEATHRANSOM is ransomware written in C that has been used since at least 2020, and has potential overlap with FIVEHANDS and HELLOKITTY.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

9 rows
Domain ID Name Relationship / procedure
Enterprise T1486 Data Encrypted for Impact

DEATHRANSOM can use public and private key pair encryption to encrypt files for ransom payment.CitationFireEye FiveHands April 2021
Enterprise T1071.001 Web Protocols Sub-technique

DEATHRANSOM can use HTTPS to download files.CitationFireEye FiveHands April 2021
Enterprise T1490 Inhibit System Recovery

DEATHRANSOM can delete volume shadow copies on compromised hosts.CitationFireEye FiveHands April 2021
Enterprise T1083 File and Directory Discovery

DEATHRANSOM can use loop operations to enumerate directories on a compromised host.CitationFireEye FiveHands April 2021
Enterprise T1614.001 System Language Discovery Sub-technique

Some versions of DEATHRANSOM have performed language ID and keyboard layout checks; if either of these matched Russian, Kazakh, Belarusian, Ukrainian or Tatar DEATHRANSOM would exit.CitationFireEye FiveHands April 2021
Enterprise T1105 Ingress Tool Transfer

DEATHRANSOM can download files to a compromised host.CitationFireEye FiveHands April 2021
Enterprise T1047 Windows Management Instrumentation

DEATHRANSOM has the ability to use WMI to delete volume shadow copies.CitationFireEye FiveHands April 2021
Enterprise T1680 Local Storage Discovery

DEATHRANSOM can enumerate logical drives on a target system.CitationFireEye FiveHands April 2021
Enterprise T1135 Network Share Discovery

DEATHRANSOM has the ability to use loop operations to enumerate network resources.CitationFireEye FiveHands April 2021
Relationship explorer

All related ATT&CK context

uses · Technique T1486: Data Encrypted for Impact Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1490: Inhibit System Recovery Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1614.001: System Language Discovery Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1047: Windows Management Instrumentation Enterprise uses · Technique T1680: Local Storage Discovery Enterprise uses · Technique T1135: Network Share Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
65fd4854579e894c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 65fd4854579e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    FireEye FiveHands April 2021

    McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.

    Open source URL
  2. [2]
    mitre-attack S0616
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use