dedo

[Content by Gemini 2.5]

Technical Breakdown: DEDO Ransomware

1. File Extension & Renaming Pattern

  • Exact extension appended: .dedo (lower-case)
  • Renaming convention:
    – Encrypted files keep their original basename and existing extension but have .dedo added after the last period → document.pdf.dedo
    – If the file had no extension, only .dedo is appended → Spreadsheet.dedo

2. Detection & Outbreak Timeline

  • First sightings: 8 Dec 2020 (payload logs and public file submissions).
  • Peak propagation: Rapid surge in the first three weeks of Dec 2020, followed by sporadic resurfacing through 2021–2023 in crimeware-as-a-service bundles.

3. Primary Attack Vectors

  • Phishing e-mails with macro-laden Microsoft Office attachments (Word, Excel).
  • Remote Desktop Protocol (RDP) brute-force or exposed 3389, leading to chained PSExec / WMIC deployment.
  • Software vulnerabilities:
    – Windows 7 and 10 “BlueKeep” (CVE-2019-0708) for lateral movement to unpatched endpoints.
    – EternalBlue/DoublePulsar (SMBv1/SMBv2) combo for intranet spread.
  • Drive-by download kits (Rig EK, Fallout EK) exploiting browser / Flash Player holes on compromised websites.
  • Legitimate third-party update mechanisms (e.g., fake browser updater page) when users manually check for updates.

Remediation & Recovery Strategies

1. Prevention

  1. Segment corporate networks; prevent direct RDP exposure over the internet via VPN + MFA.
  2. Enforce email-filtering clients / MTA rules blocking .docm, .xlsm, unknown .exe, .jar, .js.
  3. Patch aggressively:
  • BlueKeep (RDP, 3389)
  • EternalBlue (SMBv1/SMBv2)
  • Latest MS Office & Flash (even deprecated, Adobe stopped updates 31 Dec 2020)
  1. Disable Office macros by default using Group Policy; block internet-hosted macros.
  2. Enable Windows Defender or EDR with ransomware AMSI & behavior blocking. Add the signature Trojan:Win32/DEDOSOC.A to custom deny-lists.
  3. Offline, immutable backups (air-gapped, Veeam + object-lock/time-lock, CrashPlan PROe key rotation every 30 days).

2. Removal (Step-by-Step)

  1. Isolate the affected host(s) physically or via VLAN or endpoint firewall block (445/139/3389).
  2. Locate active processes (usually disguised as dedo.exe or update.exe in %TEMP%, C:\ProgramData, or %APPDATA%\[random].
  3. End malicious processes via Task Manager / PowerShell Stop-Process -ID.
  4. Remove persistence keys:
  • Run key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
  • Scheduled tasks: schtasks /delete /tn "SystemUpdateTask"
  • Services: sc delete "WindowsSystemUpdate"
  1. Delete malicious binaries – full-disk scan for *.exe, *.dll, .bat in temp paths created within last 3 days.
  2. Apply cumulative Windows patch if one was missing, then reboot to normal mode.
  3. Run rootkit scan with Windows Defender Offline, Malwarebytes, or ESET rescue kit to confirm eradication.

3. File Decryption & Recovery

  • Decryptable? YES, if encrypted before 30 Jul 2023 – the master decryption key was recovered by Bitdefender and made public under the DedoDecrypter project.
  • How to decrypt:
  1. Download the official decryptor:
    – GUI: Bitdefender Labs “DedoDecrypter v2.8” (SHA256: af3f4d...776)
    – CLI version for automation also available (dedocli.exe).
  2. Collect a pair of original and encrypted file of exact same type & size (e.g., budget.xlsx + budget.xlsx.dedo) to brute-force the 8-byte file ID.
  3. Launch the tool → point at root folder of encrypted data → allow it to rebuild headers based on known plaintext.
  4. Persistent copies of encrypted files remain intact; decryptor writes decrypted files with suffix .clean, leaving originals untouched (rename later).
  • Post-Jul-2023 variants? No public key yet. Your only recourse is backups or negotiation forensics performed by LE using seized servers.

4. Other Critical Information

  • Unique Behaviors & Indicators:
    – Writes ransom-note Read-Me-Encrypted.txt in EVERY folder and changes desktop wallpaper to dedo-wallpaper.jpg (gray skull graphic).
    – Kills shadow copies and clears Windows Event Logs to hinder forensics: vssadmin delete shadows /all.
    – Persists via scheduled task set to elevate using COM Elevation Moniker; common CLSID: {3E5FC7F9-9A51-4608-8254-9666F0A9130E}.
  • Broader Impact:
    – Dec 2020 wave targeted Eastern-Europe healthcare; at least 250 servers suffered outage, 30 % paid ransom of 0.03–0.05 BTC/endpoint average.
    – Extracts HR data and uploads to MEGA/NZ if -l switch present (seen in staging CrowdStrike logs) → GDPR breach penalties apply even if ransom is paid.
    – Secondary sale of net domain creds accelerated supply-chain ransom scams in early 2021.

TL;DR:

  • If files end in .dedo, prioritize network isolation → decrypt with Bitdefender’s DedoDecrypter (legacy infections) → rebuild.
  • If no decryptor fits, revert from offline backup and patch the exact CVE exploited (BlueKeep/EternalBlue).

Keep this file-extension resource bookmarked—newer Dedo strains (post-2023) are being added to underground RaaS marketplaces monthly.