DeathRansom has finally succeeded at encrypting files. At a high level, this ransomware follows a sensible design: it scans and encrypts files on local and network drives. To enumerate network resources, the malware uses standard Windows APIs (WNetOpenEnumW, WNetEnumResourceW etc.) It recursively scans network resources until it hits a normal directory, at which point it processes it like a directory (processDir).
Following alterations have been made:
The new version of this ransomware uses a combination of Curve25519 algorithm for the Elliptic Curve Diffie-Hellman (ECDH) key exchange scheme, Salsa20, RSA-2048, AES-256 ECB, and a simple block XOR algorithm to encrypt files.