On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.
This edition of the Ransomware Roundup covers the DoDo and Proton ransomware.
Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Encrypts and exfiltrates victims’ files and demands ransom for file decryption and not to leak stolen files
Severity level: High
DoDo Ransomware Overview
DoDo ransomware was first reported in February this year. It is a variant of the widely reported and observed Chaos ransomware. Because it is a derivative, the DoDo ransomware is not considered to be a new and recent ransomware. However, a slightly different version of the DoDo ransomware has recently emerged that we describe below.
Infection Vector
DoDo ransomware samples have the “Mercurial Grabber” file icon, which indicates the ransomware was likely distributed as such. Mercurial Grabber is an open-source malware builder that can generate an infostealer configured to steal information such as Discord tokens, machine information, Windows product keys, and Chrome passwords from victims’ machines. It was posted on GitHub on June 3, 2021, with the following disclaimer:
Please do not use the program maliciously. This program is intended to be used for educational purposes only. Mercurial is only used to demonstrate what type of information attackers can grab from a user’s computer. This is a project [sic] was created to make it easier for malware analysts or ordinary users to understand how credential grabbing works and can be used for analysis, research, reverse engineering, or review.
However, threat actors have been actively using this builder to target victims and steal information by using the built-in functions shown in Figure 2, below.
Figure 1: File icon of the DoDo ransomware samples
Figure 2: Mercurial Grabber’s configuration screen
The latest DoDo ransomware samples have been submitted to a public file scanning service from the following countries:
- France
- Germany
- India
- China
- United Kingdom
- Peru
Older variants were submitted from the following countries:
- The Philippines
- United States
- France
- Spain
- Sweden
- Germany
- United Kingdom
- Turkey
- Australia
- Brazil
- Serbia
- Bulgaria
The masquerading of free apps and tools is a classically simple yet effective attack vector used by cybercriminals for years. However, in this case, the DoDo ransomware is masquerading as the nefarious Mercurial Grabber application, which means that the most likely potential victims are either malicious attackers or curious users. This also makes the abundance of submission sources rather surprising, indicating that users worldwide have all managed to somehow find and download a copy of the fake Mercurial Grabber builder.
It is also important to note that the file icon can be easily changed. In other words, it can also impersonate other applications, which all users should be aware of when downloading and using apps off the internet.
Ransomware Execution
While the newer and older DoDo variants drop slightly different ransom notes and add different file extensions to encrypted files, they have two things in common: all DoDo ransomware samples were created using Chaos Builder version 3, which was released in mid-2021, and they all use the same Bitcoin address to receive ransom payments. Chaos ransomware Builder 3 has the disadvantage that it can only encrypt files smaller than 1 MB. Files larger than that are overwritten and considered unrecoverable unless backups remain intact. This really means that DoDo operates much like a wiper for larger files because the attacker cannot recover all of their files even if the ransom payment is made.
The older DoDo ransomware variants dropped a ransomware note labeled “dodov2_readit.txt” and added a “.dodov2” extension to the encrypted files. The ransom demand is $15 worth of Bitcoin or Monero (XMR).
Figure 3: Ransom note dropped by the older DoDo ransomware variants
Figure 4: Files encrypted by the older DoDo ransomware samples
In contrast, the recent DoDo ransomware samples drop a ransom note labeled “PLEASEREAD.txt,” add a “.crypterdodo” extension to the encrypted files, and replace the desktop wallpaper with the same ransom message. The ransom demand is still $15 worth of Bitcoin or Monero (XMR). The attacker has also included a contact email address, likely for better “customer” service. In addition, the Monero address is different from the older variants.
Figure 5: Ransom note dropped by the recent DoDo ransomware samples
Figure 6: Files encrypted by the recent DoDo ransomware samples
Figure 7: Desktop wallpaper replaced by the recent DoDo ransomware samples
The Bitcoin address used by the DoDo ransomware has had more than 40 transactions since May 2022. However, most incoming transactions were under $10, raising questions as to whether they were ransom payments. The Monero addresses were not available at the time of our investigation.
Proton Ransomware Overview
Proton is a recently reported ransomware designed to encrypt files on the Windows platform and demand ransom payments from victims to recover their affected files.
Infection Vector
Information on the infection vector used by the Proton ransomware threat actor is not currently available. However, it is not likely to differ significantly from other ransomware groups.
Proton ransomware samples were submitted to a public file scanning service from the following locations:
- United States
- Italy
- India
- China
- Korea
- Estonia
- Netherland
- Germany
- Russia
- Ukraine
While there is no indication that the Proton ransomware is widespread, this list shows that attackers have the means to distribute ransomware in different parts of the world.
Ransomware Execution
Once executed, the Proton ransomware encrypts files on victims’ machines and adds a “.[the attacker’s contact email address].Proton” extension to the affected files. It also changes the file icon of the encrypted files and drops a ransom note labeled “#[Unique ID assigned to each victim].txt” while replacing the victim’s desktop wallpaper.
Figure 8: Files encrypted by the Proton ransomware
Figure 9: Ransom note dropped by the Proton ransomware
Figure 10: Desktop wallpaper replaced by the Proton ransomware
The Proton ransomware has several minor variants, most adding different contact email addresses as part of the file extensions added to the encrypted files. Below is a list of the contact addresses that the attacker has included in the ransom notes:
- .[filesupport@[redacted]].Proton
- .[vpsadminmain12@[redacted]].Proton
- .[helpdec10@[redacted]].Proton
- .[contact.encryptor@[redacted]].Proton
- .[DoraRec@[redacted]].Proton
- .[RecoverProtonData@[redacted]].Proton
During our research, FortiGuard Labs came across what appears to be the earliest sample of the Proton ransomware (SHA2: f36dda3b97266a6a30d905c73e1f8a45c4b6681e81fb2f8f59b622de899c4421), which was released in late March 2023. While the ransom note calls itself “Proton,” it does not use a “.Proton” file extension. Instead, the sample uses “Kigatsu@[redacted][victim’s unique ID].kigatsu”. The ransom note includes the attacker’s Telegram ID, which is not seen in the recent ransom notes. As shown below, this variant does not replace the file icon of the encrypted files with the unique Proton logo.
Figure 11: Files encrypted by possibly the earliest Proton ransomware sample
Figure 12: Ransom note dropped by possibly the earliest Proton ransomware sample
Another Proton ransomware variant was submitted to a public file scanning service in late June. This variant (SHA2: 3a86c8c0e96ef1984177c41c87dec40fe0df3fe71b8ef951063312010c86c9bb) uses a similar email address and the same Telegram ID as the oldest Proton ransomware sample but adds “.[attacker’s email address].Proton” to encrypted files and also changes their file icon.
Figure 13: Files encrypted by 3a86c8c0e96ef1984177c41c87dec40fe0df3fe71b8ef951063312010c86c9bb
Figure 14: Ransom note dropped by 3a86c8c0e96ef1984177c41c87dec40fe0df3fe71b8ef951063312010c86c9bb
Based on these observations, we believe that the attacker has made some effort to improve the operation of this ransomware since its inception.
Fortinet Protections
Fortinet customers are already protected from this malware variant through AntiVirus and FortiEDR services, as follows:
FortiGuard Labs detects known DoDo ransomware variants with the following AV signatures:
- MSIL/Filecoder.8878!tr.ransom
- MSIL/Filecoder.AGP!tr.ransom
FortiGuard Labs detects known Proton ransomware variants with the following AV signatures:
- W64/Filecoder.PRTN!tr.ransom
- W32/Generic.AC.171!tr
- W32/Agent_AGen.APM!tr.ransom
The FortiGuard AntiVirus service is supported by FortiGate, FortiMail, FortiClient, and FortiEDR. Fortinet EPP customers running current AntiVirus updates are also protected.
IOCs
File-based IOCs:
SHA2 |
Malware |
8727091cbb89e5e31eeb2503ffaa242601c8840eee0973fd62fedf1b4b58ab44 |
DoDo Ransomware |
f912cd2a6cd21e828dc32b97eac0ce9b2c4e8d5a7944deaa4bd61f41ab8e1997 |
|
aee45cc2540d49a28e765c30f1c4d0b853c1a74ea2260bd7614ece8e54c3bcb3 |
|
8d76a9a577ea5ad52555a2824db6f5872548fe4bcc47d476cae57603386c4720 |
|
464d6aa8389dad3aebc36f748f6687cb57432ee791b84ff18b3dd5a342ce23a0 |
Proton ransomware |
506dc9f186f820b5e1d39e5f553949415ced6c34d1ef4f4f723ce9d6558cfc5d |
|
877a01b2b6b79572100ba61d799d08569063910a7f56e199bf4805cf0943e140 |
|
31485a7ce7e5b4ae39ee06c8c425fe9090d1520b062b4941ad37233cc4851fe6 |
|
9adae78f48f24419b6f8a895c1244a1576a4c7fe73e9bc32136893630ce735bd |
|
b7fbf5561006e41d56bde9e26895c8be3a3853436870e86f6929f51b719089d9 |
|
8fa93ce6b9dcf00ecf853f266f68aa033b057187c2061b950367c9ec9891571e |
|
e43db9691d7947f7edadb0f9ae8317301aeaea7604f74e69dbcb4b23420e4cbe |
|
6a8ef9185b85490a258eda096777ba0805394e587cf8a0f8f800b87e0594edca |
|
077621c13e3688eb4959b66a1f6f18f3791e5d869e8f064a72498d70b2e36727 |
|
39b8c17d79733974ced9a4beeb112d888174b7addca6cea008eea3846fa33658 |
|
3a86c8c0e96ef1984177c41c87dec40fe0df3fe71b8ef951063312010c86c9bb |
|
f36dda3b97266a6a30d905c73e1f8a45c4b6681e81fb2f8f59b622de899c4421 |
FortiGuard Labs Guidance
Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.
Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:
The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.
Our FREE NSE training: NSE 1 – Information Security Awareness includes a module on internet threats designed to help end users learn how to identify and protect themselves from various types of phishing attacks and can be easily added to internal training programs.
Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.
As part of the industry’s leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.
Best Practices Include Not Paying a Ransom
Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).
How Fortinet Can Help
FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. And our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).
Learn more about Fortinet’s FortiGuard Labs threat research and global intelligence organization and Fortinet’s FortiGuard AI-powered Security Services portfolio.
Source: https://www.fortinet.com/blog/threat-research/ransomware-roundup-dodo-and-proton