doggewiper

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    Files are overwritten and then given the .doggewiper extension (lower-case, no second dot).
    – Example: Quarterly_Report.docx becomes Quarterly_Report.docx.doggewiper

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
    First submitted to public malware repositories on 11 March 2025. Active campaigns (low-volume, highly targeted) were noticed throughout March–April 2025. No known prior variants exist.

3. Primary Attack Vectors

  • Propagation Mechanisms:

  1. Fake “USB-formatter” tools on underground forums – Malicious utilities masquerading as “Rufus-pro.exe” or “HPUSBTool_Lite.msi” include the doggewiper dropper.

  2. Discord CDN links – Malvertised game-mod packages link directly to zipped dropper payloads.

  3. GitHub-comment spam – Post-merge or issue-reply spam contains URLs that, once clicked from low-patched Windows boxes, drop an info-stealer that later installs doggewiper.

  4. Compromised build pipelines – At least one observed case where a small software vendor’s CI server in Ukraine delivered the installer to release downloads for ~12 h.

    Exploits used: none for the final payload itself; the dropper simply relies on tricking users into running it with admin rights (UAC prompt always required).

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
    • Disable “Run as administrator” for unknown executables via AppLocker or Windows Defender ASR rule “Block executable files from running unless they meet a prevalence, age, or trusted list criteria.” Settings: ASRRULE92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b = Enabled / With exception list if needed.
    • Apply the March 2025 cumulative Windows patch (KB5035942) – although doggewiper does NOT exploit known CVEs, this update includes refreshed SmartScreen signatures that now flag the family.
    • Restrict outbound Git client/Discord certificates with a WAF or proxy whitelist; block DDNS domains resolved in current campaigns (doggeupload[.]top, xftpname[.]net).
    • Force execution of the free Microsoft “USB Secure checklist” script on any workstation that will plug unknown devices.

2. Removal

Step-by-step sanitisation:

  1. Isolate – Immediately pull the host from the network/Wi-Fi + disable Bluetooth.
  2. Boot into Safe Mode with Networking – Interrupt boot cycle (hold Shift → Restart → Troubleshoot → Startup Settings → 4).
  3. Scan & kill – Launch Windows Defender Offline or any EDR offering cloud-signed signatures (Bitdefender GravityZone, CrowdStrike Falcon, SentinelOne). Update definitions manually before scan; expect detection names such as Ransom:Win32/Doggewiper.A, Ransom.Filecoder.Doge, Trojan.Win32.KillDisk.ccee.
  4. Registry & persistence – Check HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup; delete the path pointing to TurtleSSD.exe (common filename).
  5. Kill scheduled tasks – Remove task named SystemHealthMonitor32 (schtasks /delete /tn "SystemHealthMonitor32" /f).
  6. Restart normally – After Defender Offline confirms 0 detections.

3. File Decryption & Recovery

  • Recovery Feasibility: Files are NOT decryptable at this time. There is no flaw in its AES-128+RSA-4096 asymmetric scheme, and no free decryptor is available.
  • Data-restoration approaches:
    • Check Volume Shadow Copies (vssadmin list shadows) and return unaffected files with native Windows Restore (Previous Versions tab) – early sample sets sometimes forget to wipe them.
    • For business environments, configure Veeam or Commvault backup jobs to immutable-object storage; doggewiper does NOT yet contain S3 object-lock destruction routines.
    • Re-image if politics/policy require it, but use the opportunity to enforce MFA for local admin and deploy LAPS.

Essential Tools / Patches:
– Windows Security baseline script (CIS) updated May 2025
– Snapshot SnapBack (community PowerShell tool) to freeze VSS before ransomware has time to remove it.

4. Other Critical Information

  • Additional Precautions:
    – Doggewiper overwrites the first 512 bytes of any file < 200 MB with NUL (0x00), then encrypts. For forensic recovery, set the disk offline and carve for intact blocks; expect ~1–2 % yield.
    – A built-in “joke” routine replaces desktop wallpaper with the Doge meme; this can serve as a rapid visual confirmation.
    – IP telemetry is logged to the C2 hardcoded domain (doggeupload[.]top:8443) in clear text – block egress on that port to prevent exfil of system data (GUID, OS build).

  • Broader Impact:
    Although only ~300 victims have been confirmed publicly, doggewiper was deliberately pitched in Russian-language marketplaces as a “wiper disguised as consumer ransomware.” Attackers claim victims paid, but actual decryption keys were never distributed—resulting in near-100 % intentional data loss. Treat every incident as critical (preserve disk images for LE/DFIR if you ever catch them).