Ransomware Remix: How DoNex DJs with Darkrace’s Discarded LockBit Beats

Ready to meet the copycat crooks of cyberspace? Introducing DoNex, the ransomware rookies playing dress-up with LockBit’s leaked look. Think of them as the tribute band of the malware world—less rock, more “lock (your files)”. Encore, anyone?

Hot Take:

Another day, another ransomware! DoNex is like that one cover band that thinks they’re The Beatles because they can play “Twist and Shout.” Just when you thought the ransomware scene couldn’t get more “been there, encrypted that,” along comes DoNex, rifling through LockBit’s old wardrobe, trying to pass off last season’s cyberthreats as haute couture. Hacking originality, where art thou?

Key Points:

  • DoNex is the new kid on the block, but they’re playing with old toys, namely the LockBit ransomware source code.
  • They’ve managed to stay under the radar by shutting down their leak site, like a cyber ninja… or maybe more like a cyber-ninja wannabe.
  • Their MO includes dropping a sample, hiding their console window, and ensuring they’re the only game in town with a mutex check.
  • DoNex seems to be a Jack-of-one-trade, focusing on encryption and not much else—no fancy footwork here.
  • They clean up after themselves by wiping recycle bins and clearing event logs, because no one likes a messy criminal.

Need to know more?

Rise of the Clone Wars

It's like a bad case of déjà vu; we've got yet another LockBit spinoff on our hands. Enter Darkrace's doppelganger, DoNex, making its grand entrance eight months later. You'd think they'd try to spice things up a bit, but nope, it's the same routine with a slightly different mask. If imitation is the sincerest form of flattery, LockBit must be blushing harder than a teenager on prom night.

Under the Hood (Without the Muscle)

Get ready for a wild ride through the disassembly view, where the DoNex sample struts its stuff. It's not packed, it's 32-bit, and it’s wearing that Visual C/C++ compiler like last year's fashion. The binary's got some standard moves, hiding its console window and checking its mutex like it's checking its watch. It's all about that single-application lifestyle, folks.

Encryption Hokey Pokey

DoNex is doing the encryption hokey pokey, turning files around—that’s what it’s all about. It sets up its cryptosystem and drops some icon files like they're hot. Then it's a quick registry tango to make sure those encrypted files have that "je ne sais quoi" (read: a fancy new icon). The pièce de résistance? Emptying those recycle bins because littering is a no-no, even for ransomware.

The Great Encryption Caper

With all the subtlety of a bull in a china shop, DoNex sets the stage for the main event. It's not just about encryption; it's about doing it with flair. Think synchronized swimming, but with files and encryption keys. And like any good show, it ends with a bang—or rather, a ransom note and a hard device restart. Talk about drama.

Network Share Follies

But wait, there's more! DoNex isn't satisfied with just the local files; it wants to go global (or at least as global as network shares allow). It's like that one friend who's not content with just crashing your party; they want to invite themselves to your neighbor's shindig, too. It enumerates, it connects, it encrypts. It's the life of the party—until it clears the event logs and peaces out.

Conclusion: The Remix Nobody Asked For

DoNex is like a remix of a song that wasn’t great to begin with. They’re repackaging old threats and hoping no one notices they're just LockBit's less cool sibling. But hey, in the world of ransomware, it's not about innovation; it's about persistence. DoNex might not be breaking new ground, but they're certainly trying to break into your systems. Keep those eyes peeled and those backups ready, folks. It's a jungle out there.

Tags: binary analysis, DoNex group, LockBit Ransomware, malware reverse engineering, ransomware analysis, ransomware trends, threat actors