Ransomware Roundup – KageNoHitobito and DoNex | FortiGuard Labs

On a bi-weekly basis, FortiGuard Labs gathers data on ransomware variants of interest that have been gaining traction within our datasets and the OSINT community. The Ransomware Roundup report aims to provide readers with brief insights into the evolving ransomware landscape and the Fortinet solutions that protect against those variants.

This edition of the Ransomware Roundup covers the KageNoHitobito and DoNex ransomware.

Affected platforms: Microsoft Windows
Impacted parties: Microsoft Windows Users
Impact: Steals and encrypts victims’ files and demands ransom for file decryption and not releasing the stolen data.
Severity level: High

KageNoHitobito Ransomware Overview

KageNoHitobito ransomware samples became available in late March 2024. As with most ransomware, this ransomware encrypts files on victims’ machines and demands a ransom to decrypt them through dropped ransom notes. Although the group uses TOR to communicate with its victims, a data leak site is unavailable as it does not claim to have stolen any victims’ information.

Infection Vector/Victimology

Information on the infection vector used by the KageNoHitobito ransomware threat actor is unavailable.

The KageNoHitobito ransomware samples were submitted to a publicly available file scanning service from several countries: Chile, China, Cuba, Germany, Iran, Lithuania, Peru, Romania, Sweden, Taiwan, the United Kingdom, and the United States. This suggests that the KageNoHitobito ransomware threat actor may have made the malware available on file-sharing services as fake software or game cheats and lured victims to these locations.

Attack Method

The KageNoHitobito ransomware is designed to encrypt files only on the local drive, not on networked drives. The files encrypted by the ransomware have a “.hitobito” extension.

It avoids encrypting files with the following file extensions:

.dat

.dll

.exe

.ini

.log

.sys

The ransomware is designed not to continue if the current date of the compromised machine is 14 days after March 21, 2024.

The ransomware displays a ransom note on the victim’s desktop and drops a text-based ransom note called “KageNoHitobito_ReadMe.txt.”

KageNoHitobito is Japanese and can be translated as “shadow people.” We could not associate the term “shadow people” with any popular culture, including Japanese anime, to which some threat actors are fixated.

The ransom note instructs victims to visit a TOR site that uses the AbleOnion chat platform and join a chat room. This site does not appear to be specific to the KageNoHitobito ransomware, as the ongoing group chat in both the designated chat room and the group chat at the time of our investigation is unrelated to ransom negotiations.

DoNex Ransomware Overview

DoNex is a relatively new, financially motivated ransomware group first reported in early March 2024. The file creation time of the samples is mid-February, so the ransomware may have been distributed prior to the date of the first report. All victims of the DoNex ransomware on the data leak site were added in February.

Infection Vector

Information about the infection vector used by the DoNex ransomware threat actor is unavailable. However, it is not likely to be significantly different from other ransomware groups.

Victimology

The DoNex ransomware’s data leak site on TOR listed five victims during our investigation. The organizations that were claimed to have been affected by the ransomware are located in Belgium, the Czech Republic, Italy, the Netherlands, and the United States.

Attack Method

The actions of DoNex ransomware are dictated by a configuration file set by the threat actor.

The DoNex ransomware encrypts files on both local drives and network shares, as <local_disks> and <network_shares> are set to true. The ransomware adds a victim ID as a file extension to the affected files and changes their file icons.

According to the <while_extens> section in the configuration file, DoNex ransomware avoids encrypting files with the following extensions:

386

adv

ani

bat

bin

cab

cmd

com

cpl

cur

deskthemepack

diagcab

diagcfg

diagpkg

dll

drv

exe

hlp

icl

icns

ico

ics

idx

lnk

mod

mpa

msc

msp

msstyles

msu

nls

nomedia

ocx

prf

ps1

rom

rtp

scr

shs

spl

sys

theme

themepack

wpx

lock

key

hta

msi

pdb

search-ms

It also avoids encrypting the following files listed in <white_files>:

bootmgr

autorun.inf

boot.ini

bootfont.bin

bootsect.bak

desktop.ini

iconcache.db

ntldr

ntuser.dat

ntuser.dat.log

ntuser.ini

thumbs

db

GDIPFONTCACHEV1.DAT

d3d9caps.dat

The DoNex ransomware does not encrypt files in the following folders listed in <white_folders>:

$recycle.bin

config.msi

$windows.~bt

;$windows.~ws

windows

boot

program files

program files (x86)

programdata

system volume information

tor browser

windows.old

intel

msocache

perflogs

x64dbg

public

all users

default

microsoft

appdata

It terminates the following processes listed in <kill_keep>:

sql

oracle

mysq

chrome

veeam

firefox

excel

msaccess

onenote

outlook

powerpnt

winword

wuauclt

It terminates the following services listed in <services>:

vss

sql

svc$

memtas

mepocs

msexchange

sophos

veeam

backup

GxVss

GxBlr

GxFWD

GxCVD

GxCIMgr

The ransomware is configured to delete shadow copies, making file recovery difficult.     

It then drops a ransom note labeled “Readme.[victim ID].txt} that demands contact via a TOR site, TOX chat, or email.

Another ransomware, DarkRace, which appeared in mid-2023, uses a very similar ransom note and has the same configuration file, indicating that DoNex is possibly based on DarkRace and that the threat actor behind DoNex may be the same as DarkRace.

Data Leak Site

During our research, the DoNex ransomware was operating a data leak site on TOR, which listed five victims in Europe and North America.

Since no new victims have been added since February 27th, the threat actor has likely already ceased operations and moved on.

Fortinet Protections

The KageNoHitobito and DoNex/DarkRace ransomware described in this report are detected and blocked by FortiGuard Antivirus as:

  • MSIL/Filecoder.BCL!tr.ransom
  • W32/Agent.AEUZ!tr.ransom

FortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard AntiVirus engine is a part of each of those solutions. As a result, customers who have these products with up-to-date protections are protected.

IOCs

KageNoHitobito and DoNex/DarkRace Ransomware File IOCs

SHA2

Note

8939bfe20bc6476806d22c8edfcaba5c36f936b893b3de1c847558502654c82f

Hitobito ransomware

1940fcdb2561c2f7b82f6c44d22a9906e5ffec2438d5dadfe88d1608f5f03c33

506e8753dd5ca1c8387be32f26367e26f242b7c65e61203f7f926506c04163aa

8a10e0dc4994268ea33baecd5e89d1e2ddabef30afa09961257a4329669e857a

bec9d2dcd9565bb245f5c8beca4db627390bcb4699dd5da192cc8aba895e0e6a

0adde4246aaa9fb3964d1d6cf3c29b1b13074015b250eb8e5591339f92e1e3ca

DoNex ransomware

6d6134adfdf16c8ed9513aba40845b15bd314e085ef1d6bd20040afd42e36e40

b32ae94b32bcc5724d706421f915b7f7730c4fb20b04f5ab0ca830dc88dcce4e

74b5e2d90daaf96657e4d3d800bb20bf189bb2cf487479ea0facaf6182e0d1d3

DarkRace ransomware(predecessor of DoNex)

0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4

FortiGuard Labs Guidance

Due to the ease of disruption, damage to daily operations, potential impact on an organization’s reputation, and the unwanted destruction or release of personally identifiable information (PII), etc., it is vital to keep all AV and IPS signatures up to date.

Since the majority of ransomware is delivered via phishing, organizations should consider leveraging Fortinet solutions designed to train users to understand and detect phishing threats:

The FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness and vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted phishing attacks.

Our FREE Fortinet Certified Fundamentals (FCF) in Cybersecurity training. The training is designed to help end users learn about today’s threat landscape and will introduce basic cybersecurity concepts and technology.

Organizations will need to make foundational changes to the frequency, location, and security of their data backups to effectively deal with the evolving and rapidly expanding risk of ransomware. When coupled with digital supply chain compromise and a workforce telecommuting into the network, there is a real risk that attacks can come from anywhere. Cloud-based security solutions, such as SASE, to protect off-network devices; advanced endpoint security, such as EDR (endpoint detection and response) solutions that can disrupt malware mid-attack; and Zero Trust Access and network segmentation strategies that restrict access to applications and resources based on policy and context, should all be investigated to minimize risk and to reduce the impact of a successful ransomware attack.

As part of the industry’s leading fully integrated Security Fabric, delivering native synergy and automation across your security ecosystem, Fortinet also provides an extensive portfolio of technology and human-based as-a-service offerings. These services are powered by our global FortiGuard team of seasoned cybersecurity experts.

FortiRecon is a SaaS based Digital Risk Prevention Service backed by cybersecurity experts to provide unrivaled threat intelligence on the latest threat actor activity across the dark web, providing a rich understanding of threat actors’ motivations and TTPs. The service can detect evidence of attacks in progress allowing customers to rapidly respond to and shut down active threats.

Best Practices Include Not Paying a Ransom

Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).

How Fortinet Can Help

FortiGuard Labs’ Emergency Incident Response Service provides rapid and effective response when an incident is detected. Our Incident Readiness Subscription Service provides tools and guidance to help you better prepare for a cyber incident through readiness assessments, IR playbook development, and IR playbook testing (tabletop exercises).

Additionally, FortiRecon Digital Risk Protection (DRP) is a SaaS-based service that provides a view of what adversaries are seeing, doing, and planning to help you counter attacks at the reconnaissance phase and significantly reduce the risk, time, and cost of later-stage threat mitigation.

Source: Original Post