KageNoHitobito ransomware samples became available in late March 2024. As with most ransomware, this ransomware encrypts files on victims' machines and demands a ransom to decrypt them through dropped ransom notes. Although the group uses TOR to communicate with its victims, a data leak site is unavailable as it does not claim to have stolen any victims' information.
Infection Vector/Victimology - Information on the infection vector used by the KageNoHitobito ransomware threat actor is unavailable.
The KageNoHitobito ransomware samples were submitted to a publicly available file scanning service from several countries: Chile, China, Cuba, Germany, Iran, Lithuania, Peru, Romania, Sweden, Taiwan, the United Kingdom, and the United States. This suggests that the KageNoHitobito ransomware threat actor may have made the malware available on file-sharing services as fake software or game cheats and lured victims to these locations.
Attack Method - The KageNoHitobito ransomware is designed to encrypt files only on the local drive, not on networked drives. The files encrypted by the ransomware have a “.hitobito” extension.[1]
Figure 1: Files encrypted by the KageNoHitobito ransomware.
It avoids encrypting files with the following file extensions:
|
.dat |
.dll |
.exe |
|
.ini |
.log |
.sys |
The ransomware is designed not to continue if the current date of the compromised machine is 14 days after 21 March 21 2024.
Figure 2: KageNoHitobito ransomware code to not run beyond 14 days after 21 March 2024.
The ransomware displays a ransom note on the victim’s desktop and drops a text-based ransom note called "KageNoHitobito_ReadMe.txt."
Figure 3: KageNoHitobito ransomware’s ransom note displayed on the victim’s desktop
Figure 4: Text version of the KageNoHitobito ransomware’s ransom note
KageNoHitobito is Japanese and can be translated as "shadow people." Analysts could not associate the term "shadow people" with any popular culture, including Japanese anime, to which some threat actors are fixated. The ransom note instructs victims to visit a TOR site that uses the AbleOnion chat platform and join a chat room. This site does not appear to be specific to the KageNoHitobito ransomware, as the ongoing group chat in both the designated chat room and the group chat at the time of our investigation is unrelated to ransom negotiations.
Figure 5: The TOR site that the KageNoHitobito ransomware uses for ransom negotiations
Figure 6: Ongoing chat at the time of our investigation
DoNex Ransomware Overview - DoNex is a relatively new, financially motivated ransomware group first reported in early March 2024. The file creation time of the samples is mid-February, so the ransomware may have been distributed prior to the date of the first report. All victims of the DoNex ransomware on the data leak site were added in February.
Infection Vector - Information about the infection vector used by the DoNex ransomware threat actor is unavailable. However, it is not likely to be significantly different from other ransomware groups.
Victimology - The DoNex ransomware’s data leak site on TOR listed five victims during our investigation. The organizations that were claimed to have been affected by the ransomware are located in Belgium, the Czech Republic, Italy, the Netherlands, and the United States.
Attack Method - The actions of DoNex ransomware are dictated by a configuration file set by the threat actor.
Figure 7a DoNex ransomware’s configuration file
The DoNex ransomware encrypts files on both local drives and network shares, as <local_disks> and <network_shares> are set to true. The ransomware adds a victim ID as a file extension to the affected files and changes their file icons.
Figure 8: Files encrypted by the DoNex ransomware
According to the <while_extens> section in the configuration file, DoNex ransomware avoids encrypting files with the following extensions:
|
386 |
adv |
ani |
bat |
bin |
|
cab |
cmd |
com |
cpl |
cur |
|
deskthemepack |
diagcab |
diagcfg |
diagpkg |
dll |
|
drv |
exe |
hlp |
icl |
icns |
|
ico |
ics |
idx |
lnk |
mod |
|
mpa |
msc |
msp |
msstyles |
msu |
|
nls |
nomedia |
ocx |
prf |
ps1 |
|
rom |
rtp |
scr |
shs |
spl |
|
sys |
theme |
themepack |
wpx |
lock |
|
key |
hta |
msi |
pdb |
search-ms |
It also avoids encrypting the following files listed in <white_files>:
|
bootmgr |
autorun.inf |
boot.ini |
bootfont.bin |
bootsect.bak |
|
desktop.ini |
iconcache.db |
ntldr |
ntuser.dat |
ntuser.dat.log |
|
ntuser.ini |
thumbs |
db |
GDIPFONTCACHEV1.DAT |
d3d9caps.dat |
The DoNex ransomware does not encrypt files in the following folders listed in <white_folders>:
|
$recycle.bin |
config.msi |
$windows.~bt |
;$windows.~ws |
|
windows |
boot |
program files |
program files (x86) |
|
programdata |
system volume information |
tor browser |
windows.old |
|
intel |
msocache |
perflogs |
x64dbg |
|
public |
all users |
default |
microsoft |
|
appdata |
|
|
|
It terminates the following processes listed in <kill_keep>:
|
sql |
oracle |
mysq |
chrome |
veeam |
|
firefox |
excel |
msaccess |
onenote |
outlook |
|
powerpnt |
winword |
wuauclt |
|
|
It terminates the following services listed in <services>:
|
vss |
sql |
svc$ |
memtas |
mepocs |
|
msexchange |
sophos |
veeam |
backup |
GxVss |
|
GxBlr |
GxFWD |
GxCVD |
GxCIMgr |
|
The ransomware is configured to delete shadow copies, making file recovery difficult. It then drops a ransom note labeled “Readme.[victim ID].txt} that demands contact via a TOR site, TOX chat, or email.
Figure 9: The DoNex ransomware’s ransom note
Another ransomware, DarkRace, which appeared in mid-2023, uses a very similar ransom note and has the same configuration file, indicating that DoNex is possibly based on DarkRace and that the threat actor behind DoNex may be the same as DarkRace.
Figure 10: The DarkRace ransomware’s ransom note. Sentences also included in the DoNex ransomware’s ransom note are underlined in red.
Figure 11: The configuration file used by the DarkRace ransomware
Data Leak Site - During our research, the DoNex ransomware was operating a data leak site on TOR, which listed five victims in Europe and North America.
Figure 12: The DoNex ransomware’s data leak site
Since no new victims have been added since February 27th, the threat actor has likely already ceased operations and moved on.
IOCs
KageNoHitobito and DoNex/DarkRace Ransomware File IOCs
|
SHA2 |
Note |
|
8939bfe20bc6476806d22c8edfcaba5c36f936b893b3de1c847558502654c82f |
Hitobito ransomware |
|
1940fcdb2561c2f7b82f6c44d22a9906e5ffec2438d5dadfe88d1608f5f03c33 |
|
|
506e8753dd5ca1c8387be32f26367e26f242b7c65e61203f7f926506c04163aa |
|
|
8a10e0dc4994268ea33baecd5e89d1e2ddabef30afa09961257a4329669e857a |
|
|
bec9d2dcd9565bb245f5c8beca4db627390bcb4699dd5da192cc8aba895e0e6a |
|
|
0adde4246aaa9fb3964d1d6cf3c29b1b13074015b250eb8e5591339f92e1e3ca |
DoNex ransomware |
|
6d6134adfdf16c8ed9513aba40845b15bd314e085ef1d6bd20040afd42e36e40 |
|
|
b32ae94b32bcc5724d706421f915b7f7730c4fb20b04f5ab0ca830dc88dcce4e |
|
|
74b5e2d90daaf96657e4d3d800bb20bf189bb2cf487479ea0facaf6182e0d1d3 |
DarkRace ransomware(predecessor of DoNex) |
|
0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4 |
Best Practices Include Not Paying a Ransom - Organizations such as CISA, NCSC, the FBI, and HHS caution ransomware victims against paying a ransom partly because the payment does not guarantee that files will be recovered. According to a US Department of Treasury's Office of Foreign Assets Control (OFAC) advisory, ransom payments may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and/or fund illicit activities that could potentially be illegal. For organizations and individuals affected by ransomware, the FBI has a Ransomware Complaint page where victims can submit samples of ransomware activity via their Internet Crimes Complaint Center (IC3).
This article is shared at no charge and is for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please get in touch with the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424
[1] https://www.fortinet.com/blog/threat-research/ransomware-roundup-keganohitobito-and-donex?lctg=141970831
Comments