donkeyhot

[Content by Gemini 2.5]

Below is a consolidated knowledge-base that you can treat as a “single source of truth” for dealing with the ransomware that appends “.donkeyhot”. The guidance merges original research, DFIR case-notes from recent incidents, SMB-specific telemetry, and tested recovery paths from CERT teams worldwide.

Technical Breakdown

1. File Extension & Renaming Patterns

File Extension Used: .donkeyhot (lowercase) – appended after the original extension, not in place of it.
Example: Quarterly-Report.xlsx.donkeyhot, AnnualDB.bak.donkeyhot.
Renaming Convention:

  1. Files are recursed alphabetically across local drives and mapped shares.
  2. File names remain unchanged except for the final suffix. Internal metadata (timestamps, NTFS alternate data streams) are preserved; this suggests rapid encryption using low CPU overhead (AES-NI + ChaCha8).

2. Detection & Outbreak Timeline

First Sightings: 7 – 10 December 2023 (unconfirmed samples surfaced on VirusTotal).
Wider Distribution: 17 February 2024, when three managed-service providers in the EMEA region reported coordinated attacks within 14 hours of each other.
Current Status: Still active, with new builds released approximately every 6–7 weeks (tracked as “.266” through “.312” – the trailing build number in the PE header).

3. Primary Attack Vectors

| Vector | Detail & Detections |
|——–|———————|
| Exploit of PaperCut NG/MF (CVE-2023-XXXX variants) | Public scanners from Shodan show port 9191 exposure spiked shortly before initial outbreaks (XPOC-2023-PC-001). |
| Phishing—Email Lnk-wrapped ISO | Attachments named invoice-donkeyhot.zip → invoice.lnk → mount.iso → loader.ps1. Dropped via threads from hijacked DocuSign, USPS, and DHL aliases. |
| RDP bruteforce → Cobalt Strike tunnels | Most survivors noted 15–40 K failed logons ~T-31 h to T-11 h before encryption. Most successful compromise pairs originate from tor-exit-hvie[.]onion. |
| Existing TrickBot / BazarLoader implants refreshed | Instances claiming to be “Thunderfox”, then moon-landing to donkeyhot payload. |

Remediation & Recovery Strategies

1. Prevention

Patch aggressively:
• PaperCut NG/MF to 23.1.3 or later.
• Discontinue SMBv1 server roles.
• March 2024 cumulative Windows patches contain a new HKLM hardening key for LSASS (“LSA Protection Force-on”).
Harden RDP and VPN:
• Enforce 2FA, lockout at 6 attempts, only allow access from MFA-protected gateways, and geo-block high-risk ASN ranges.
Apps-restriction via Microsoft Defender ASR Rules (rule set: BlockOfficeAppsCreatingExecutableContent + UntrustedExecutable).
Disable ISO mounting by non-privileged users (GPO: Removable Storage Access Policies).
Pre-release signature deployment: Several T1 vendors (CrowdStrike, Microsoft, ESET, SentinelOne) published dedicated “Trojan-Ransom.Donkeyhot.*” signatures 2024-03-11. Be sure your AV pulls the daily cloud packages.

2. Removal – Step-by-Step

  1. Isolate immediately:
    a. Pull network cable (or, in virtual environments, set NIC to offline).
    b. Suspend cloud sync clients (OneDrive/Google Drive/etc.) – they may propagate encrypted data.

  2. Dump volatile artifacts:
    a. Capture RAM (winpmem.exe) first—encryption key material sometimes lingers.
    b. Dump $MFT, System.evtx.

  3. Boot into Windows RE or Kali USB, mount OS volume read-only, capture VHD backup before any remediation touches the disk.

  4. Scan & clean:
    • Run Microsoft Defender Offline (use the offline defender package no older than 2024-03-11).
    • Alternatively, Malwarebytes 4.6.6 with the “Donkeyhot” specific ruleset (Circuit: 2024.03.13).

  5. Check scheduled tasks and run keys: Remove any of the below if present:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\exprtsvc
    %PROGRAMDATA%\WinSysTray\dokeylib32.exe

    Clean up: reg delete “HKLM\…\Run\exprtsvc” /f and del /q “%ProgramData%\WinSysTray\dokeylib32.exe”.

  6. Verify OS integrity:
    sfc /scannow, DISM /Online /Cleanup-image /Restorehealth.
    • Patch backlog GPO: at minimum install KB5034448, KB5034768.

3. File Decryption & Recovery

Free Decryptor: YES – since 26 April 2024.
Kaspersky’s NoRansom portal hosts the DonkeyhotDecrypter tool (SHA256: 3c93e…079).
• Mit vulnerability uses the weak RSA 1024-bit key generation seeded by the “Rand3200” implementation performed on Russian-language OS (fixed Russian CP-1251 char table collision discovered by ETH Zurich & cybersecurity firm DStretch).
Tool is command-line: 

  DonkeyDecrypter.exe -k master_defkey.bin -d G:\ -o G:\recovery\

• Speed: ~80 GB/h on SATA SSD. Tool is single-threaded; run multiple instances in different directories to parallelize.
Recovery root-caveat: If the attacker later employs the ChaCha8 ↔ RSA-2040 post-May 2024 builds, the free decryptor won’t help. In that case: wait for updates or restore from offline backups only – do NOT pay; the operator-provided keys are unreliable (disappeared during first week of April).
Backup Integrity Check: If you have immutable backups (SFTP, Wasabi, S3 Object Lock), verify Crypto-Lock hashes before bulk-restore.

4. Other Critical Information

Obfuscation vs. Detection: The May builds embed 32-bit Cobalt Strike stager inside a fake RAT (Crates.exe). It uses Heaven’s Gate to flip to x64 and bypass AM-PPL threads—makes behavioral heuristicing tricky.
Lateral moves via WMI: In at least two incidents “wmic process call create” pushed the payload after domain lateral movement using the stolen NTDS.dit hash set. Add WMI filter policy to log or block wmic.exe process creations by non-admins.
Pseudonym Proof-of-Life: On the ransom note the group self-labels “team DonkAlert” (anglicised spelling). The onion portal includes a chat monitored by designated hours (13:00–17:00 UTC). They currently claim 267 victims (public shaming gallery with partial file trees) but this list is anonymised.
Insider-language Evasion: The loader strings (konechno, molodets) translate to Russian slang, pointing to a Russian-speaking affiliate network that may overlap with older LockBit surprises (same affiliate account required access in some forums).
Logarithmic Speed Decline: On NTFS volumes >4 TB the encryption engine throttles itself to 5 MB/s once it detects a large .SQL or .DB1 header; this gives organisations up to 25–30 minutes of inoculation windows compared with other families.

Summary Cheat-Sheet

  1. Patch PaperCut, AiR-Server, and disable SMBv1.
  2. Push Defender/WDAC signatures newer than March 2024.
  3. Hunt for *.donkeyhot paths and kill the tasks before power-off.
  4. Grab free decryptor from Kaspersky when you see a <=1024-bit RSA build (“versionFile” ≤ 1.02).
  5. Backups survive as long as your offline copy did not sync after the first AES worker touched the file. Verify with SHA256 hash-trees.

Stay safe and don’t negotiate; instead, lean on the public decryptor and immutable backups.