DoNex Ransomware Encrypts Victim Drives
While examining new file samples, we identified a ransomware variant known as DoNex. This ransomware is designed to encrypt data and appends a ransom note titled "Readme.[victim's_ID].txt" along with its extension (victim's ID) to the filenames of all encrypted files.
For instance, DoNex alters filenames by transforming "1.jpg" into "1.jpg.f58A66B51," "2.png" into "2.png.f58A66B51," and so forth. The ransom note begins with a bold warning regarding the presence of the DoNex ransomware, notifying the victim that their data has been encrypted and will be exposed on a TOR website unless the ransom is paid. The note includes a link to download the Tor Browser for accessing the specified website.
In an attempt to reassure the victim, the note emphasizes that the group behind DoNex is driven by financial motives rather than political ones. They pledge to provide decryption tools and erase the victim's data upon payment, underscoring the significance of their reputation.
Furthermore, the note offers the option to decrypt one file free of charge to verify the decryption process. Contact details for communication are provided, including a Tox ID, an email address (donexsupport@onionmail.org), and a caution against deleting or modifying files to avoid complications in recovery. The note concludes with a threat of additional attacks on the victim's company if the ransom remains unpaid.
DoNex Ransom Note
The full text of the DoNex ransom note reads as follows:
DoNex ransomware warning
Your data are stolen and encryptedThe data will be published on TOR website if you do not pay the ransom
Links for Tor Browser:
What guarantees that we will not deceive you?
We are not a politically motivated group and we do not need anything other than your money.
If you pay, we will provide you the programs for decryption and we will delete your data.
If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future.
Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment.
You need contact us and decrypt one file for free on these TOR sites with your personal DECRYPTION ID
Download and install TOR Browser hxxps://www.torproject.org/
Write to a chat and wait for the answer, we will always answer you.You can install qtox to contanct us online hxxps://tox.chat/download.html
Tox ID Contact: 2793D009872AF80ED9B1A461F7B9BD6209 744047DC1707A42CB622053716AD4BA624193606C9Mail (OnionMail) Support: donexsupport@onionmail.org
Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems!
Warning! If you do not pay the ransom we will attack your company repeatedly again!
How is Ransomware Commonly Distributed Online?
Ransomware is commonly distributed online through various methods, taking advantage of vulnerabilities and human behavior. Here are some common ways ransomware is spread:
Phishing Emails:
Email Attachments: Cybercriminals often send phishing emails with malicious attachments, such as infected documents or executables. Once the attachment is opened, the ransomware is deployed on the victim's system.
Malicious Links: Phishing emails may also contain links to malicious websites. Clicking on these links can lead to the download and execution of ransomware.
Malvertising:
Malicious advertisements, or malvertising, can be found on legitimate websites. Clicking on these ads may redirect users to sites that host ransomware, leading to an unintentional download and infection.
Drive-by Downloads:
Ransomware can be silently downloaded onto a user's system without their knowledge when visiting compromised or malicious websites. Exploiting vulnerabilities in browsers or plugins is a common method.
Exploit Kits:
Exploit kits are toolkits that target known vulnerabilities in software. If a user's system has outdated software with unpatched vulnerabilities, the exploit kit can deliver and execute ransomware.
Watering Hole Attacks:
Cybercriminals may compromise websites frequented by a specific target group, exploiting the trust users have in those sites to deliver ransomware. This is known as a watering hole attack.
Remote Desktop Protocol (RDP) Attacks:
Attackers may exploit weak or default passwords on Remote Desktop Protocol (RDP) services. Once access is gained, they can manually deploy ransomware on the victim's network.
Exploiting vulnerabilities in software is a common method. This includes weaknesses in operating systems, applications, or services that, when left unpatched, provide an entry point for ransomware.
