The D0glun ransomware, first identified on January 16, 2025, showcases a unique method of operation, targeting victims by displaying their private information and requiring a key and ID for file decryption. The attack seems motivated by low confidence, potentially signaling an inept beginner. Affected: ransomware, cybersecurity
Keypoints :
- D0glun ransomware was first submitted on January 16, 2025.
- It displays the victim’s private information, including QQ and TG identifiers.
- The ransomware uses a unique product name and version (8180VPN, 1.0.0.0).
- A warning text file is displayed on the desktop showing infection date and time.
- A ransom note informs victims of the types of files encrypted and recovery options.
- Common suffixes for encrypted files are utilized, differing from typical ransomware.
- The decryption process requires entering a specific KEY and ID with no time limits mentioned.
- Multiple files are released into the C: drive, including @cxl.bmp, @Main wallpaper.bmp, and others in the c:config directory.
- Payment instructions and attacker information are presented upon running a specific executable.
- The operation appears motivated by both a desire for monetary gain and novelty.
MITRE Techniques :
- TA0040 – Discovery: The ransomware retrieves information about the victim’s environment before encrypting files.
- TA0010 – Initial Access: Using executables like [@]Chengxilun.exe to gain access to the victim’s system.
- TA0001 – Execution: The execution of the ransomware payload via user interaction or scripts.
- TA0007 – Persistence: Maintains persistence by creating multiple files and configurations within the system.
Indicator of Compromise :
- MD5 80422A4B94653C8C10E33767ED8C155B
- File Path c:@cxl.bmp
- File Path c:@Main wallpaper.bmp
- File Path Runcxl.txt
- Email Address cx113131[@]163[.]com
Full Story: https://malwareanalysisspace.blogspot.com/2025/02/the-ransom-group-d0glun-is-it-hidden.html