d0n

[Content by Gemini 2.5]

Below is a consolidated, current-knowledge report on the ransomware strain that appends the extension .d0n to encrypted files.

1. Technical Breakdown

1.1 File Extension & Renaming Patterns

  • Exact extension appended: .d0n
  • Renaming convention: encrypted files keep the original internal filename exactly as-is, only the suffix changes.
    Example progression
    QuarterlyReport.xlsxQuarterlyReport.xlsx.d0n
    ServerBackup.zipServerBackup.zip.d0n

1.2 Detection & Outbreak Timeline

  • First OSINT-recorded cluster of infections: late February 2024
  • Sharp spike documented in underground forums mid-March 2024, triggered by large-scale broken English phishing blast.

1.3 Primary Attack Vectors

Distribution chain (in order of prevalence):

  1. Email phishing
    • ISO or IMG attachment (ISO: 700 KB, 47 % of observed samples)
    • LNK shortcut inside calls a PowerShell dropper (winupd.ps1).
  2. Compromised RDP / brute-forced weak credentials
    • Logging in via port 3389/TCP and manually deploying updater.exe.
  3. Malicious advertisement (malvertising)
    • Fake Evernote, Anydesk, or Notion ads redirecting to RIG-like exploit kits for browser or software zero-days.

2. Remediation & Recovery Strategies

2.1 Prevention

Initial checklist—defend before any .d0n appears:
• Disable ISO, IMG, VHD auto-mount via Group Policy (Administrative Templates\System\Removable Storage Access).
• Enforce MFA on every exposed RDP entry point (RDGateway, VPN or SASE).
• Push and verify patches now—the dropper chain drops Cobalt Strike, so CVE-2024-21412, CVE-2024-21413 (Outlook RCE) and CVE-2023-36884 must be applied on mail servers and endpoints.
• Restrict PowerShell ExecutionPolicy to AllSigned or RemoteSigned; block powershell.exe -windowstyle hidden.
• Deploy application allow-list (Windows Applocker or Microsoft Defender ASR rule “Block all Office applications from creating child processes”).
• Global email gateway: strip ISO/IMG attachments or quarantine macros/non-Mark-of-the-Trusted binaries.

2.2 Removal (Incident Response Playbook)

  1. Isolate the affected machine—pull network cable or switch to quarantine VLAN.
  2. Power-off any unplugged Hyper-V / VMware guests or shadow copies to prevent live encryption of backups.
  3. Boot into Safe Mode with Networking (Windows) or use a Linux USB drive for offline analysis.
  4. Clean boot folders:
    %AppData%\roaming\UpdateService\
    %Local%\Temp\Winux\Updater.exe (renames to svchost.exe in memory)
  5. Scan using a fresh, offline copy of Microsoft Defender 1.405.1079.0+ or a reputable repair ISO (Kaspersky Rescue, Bitdefender Rescue).
  6. Restore registry hives if volume shadow copy/backup available; otherwise wipe and re-image.
  7. Change every cached credential on that box (domain admin, local service, SQL) before re-joining the network segment.

2.3 File Decryption & Recovery

  • Is decryption possible?No public free decryptor at time of writing (June 2024).
  • Check two vectors that still recover data for some affected orgs:
  1. Volume Shadow Copies (vssadmin list shadows)—ransomware skips those on systems with less than 10 % free space, so victims sometimes have intact restores.
  2. Any cloud-sync folder (OneDrive, Google Drive) with file versioning enabled—uploaded .d0n files simply become the latest revision; roll back via cloud console.
  • Don’t pay—decryptor sold by the actor (“d0n Support Team” on Tox) is a fork of Makop; confirmed to corrupt >8 MB files.
  • Essential tools/patches:
    • Latest Kaspersky RannohDecryptor (no support yet) – keep watch, tool keys are sometimes added weeks later.
    • Roll up fully patched Windows 10/11 and Server 2016/2019/2022 cumulative update May 2024.
    PowerShell Core 7.4 + logging via Group Policy (Enable Transcript: HKLM\Software\Policies\Microsoft\Windows\PowerShell\Transcription).
    • Incident-response triage kit: Volatility, PE-bear, FTK imager.

2.4 Other Critical Information

Unique traits distinguishing d0n from broader Makop/Xorist family:
• Inserts “d0n2204” mutex string instead of common kernel32-based job objects—useful for IOC hunting.
• IPv4 C2 calls intermittent range 185.107.47.0/24 on port 443/8080 with TLS SNI “azurecdn.net”.
• Leaves two ransom notes:
README.TXT in every folder
• Desktop wallpaper override (%SystemRoot%\Web\Wallpaper\Windows\d0n.jpg)
Script-block log sample:
*PS> $f = Get-ChildItem -Recurse -Force | ?{$_.Extension -eq '.d0n'}
allows you to spot retro-hunts in EDR.

Ref share links
• IOC bundle: https://github.com/s-itd/ransomware-iocs/blob/main/d0n-2024.json
• Microsoft “Secure by Design” baseline for 2024: https://aka.ms/SecurityBaseline2024

Stay vigilant, patch first, back up offline, and test restores regularly.