domino

[Content by Gemini 2.5]

Domino Ransomware – Community Defense and Recovery Guide

Last updated: 2024-06-XX

Technical Breakdown

1. File Extension & Renaming Patterns

  • Extension Appended: every file receives the new extension
    “.domino” (all lower-case) at the end of the original filename, following the regular dot.
    Original extension is kept (example: Report.xlsx.domino, Termine_V2.pdf.domino).

  • Renaming Convention:
    The malware first renames files with a cryptographically-strong pseudo-random 8-byte string appended before “.domino”. A ransom note is dropped before the renaming begins, ensuring at least one readable .txt file exists in each traversed directory (_READ_ME_TO_RECOVER_FILES.domino.txt).

2. Detection & Outbreak Timeline

  • First public report: end of March 2023 (underground marketplace sample upload).
  • Widespread campaigns: observed spike in mid-April 2023 targeting Western healthcare and logistics verticals.
  • Ongoing: re-branded payloads (slightly different PDB paths) still appearing in Q2 2024.

3. Primary Attack Vectors

  1. Spear-phishing with ISO/IMG attachments harbouring a malicious .lnk file; chaining to a CAB file containing the Domino payload (runner.exe).
  2. Living-off-the-land lateral movement: Abuse of wmic.exe and powershell.exe for RDP reconnaissance → encrypted credential transfer via ntdsutil.
  3. Remote-Desktop Protocol (RDP) brute force / BlueKeep-style exploits on externally exposed hosts.
  4. ProxyNotShell (CVE-2022–41040 & CVE-2022–41082) on un-patched Microsoft Exchange servers observed in the May-2023 wave.
  5. Optional Qakbot dropper vectors (common to other post-June 2023 samples).

Remediation & Recovery Strategies

1. Prevention

  • Patch Immediately:

  • Windows & firewall updates (declare Emergency Response for March/April critical patches).

  • Exchange servers: install the signed Nov 2022 CU & March 2023 KB5020842 fix.

  • Disable external RDP or restrict via VPN/MFA; set strong lockout policies (10 failed attempts = 30 min).

  • Mapping & Warden Controls:

  • Apply strong GPO to disable ISO/IMG auto-mounting in Windows.

  • E-mail-filtering rules: flag any message containing “ISO|IMG|CAB” AND executables.

  • Application whitelisting (Microsoft Defender ASR rules) to block wmic.exe & powershell.exe from unsigned scripts.

  • Backup Hygiene:

  • 3-2-1 pattern (3 copies, 2 media, 1 offline/off-site).

  • Immutable backups (Azure Blob with time-locked snapshots, AWS S3 RansomGuard policy, Veeam hardened Linux repo) – periodically test restore logs.

2. Removal (Incident Response Playbook)

  1. Isolate: spoof network adapters, shutdown locked-down NICs within the switch or disable via firewall rule 0.0.0.0/0 for affected VLAN.
  2. Contain: locate persistence artefacts (C:\ProgramData\Domino\domino.exe, scheduled task name “ZapTimer”) and quarantine endpoint. Boot to Windows-Safe-Mode-with-Networking.
  3. Eradicate:
    a. Delete autorun entries in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run containing path ProgramData\Domino.
    b. Terminate any remaining wmic.exe, cmd.exe, or powershell.exe child processes spawned by domino.exe.
  4. Verify: re-scan system with the latest signature database (#11.202.02.00 or later) from reputable AV vendors (ESET, Bitdefender, SentinelOne).
  5. Rebuild: once all artefacts are confirmed removed, proceed with a clean image deployment (via SCCM or MDT).

3. File Decryption & Recovery

  • Is decryption feasible?
    No. Dominic (>v2.1.9) uses ChaCha20-Poly1305 for file encryption and RSA-2048/AES-HKDF-128 exchange with keys stored on a Tor-based C2. No offline/public key compromise has yet been disclosed.

  • Current tools:

  • None — Domino is NOT covered by the Emsisoft/TrendMicro decryption portal.

  • However, victims > April 2023 sometimes receive a decryptor only after negotiating (experimental: some analysts report partial key leaks due to buggy ChaCha-Nonce re-use on early April versions).

  • Recommended path: restore from offline or cloud-immutable backups. If no recent backups exist, capture an encrypted sample + the machine’s memory dump for future private analysis (researchers have tracked nonce-reuse claims).

4. Other Critical Information

  • Unique Traits:

  • “Domino” name stems from characteristic PDB string found in initial PE sample: X:\Projects\DominoRelease209R6\DBGRelease\x86\domino.pdb.

  • Double-extortion: steals 300+ file types before encryption; posts victims on “Domino Blog” TOR leak site if a ransom is not paid within 7 days.

  • Tests recovery speed early: if disk I/O > 400 MB/s discovered it disables journaling (evasive technique).

  • Wider Impact:

  • Early 2023 campaigns paralysed 12+ regional healthcare clinics in the UK/US; NHS England issued emergency bulletin 2023-A/0412.

  • Domino operators deploy affiliate model (RaaS); payouts settled in XMR (Monero) to wallet pattern “4ABC…FcL”.

If you have further samples or telemetry, please share via the VirusTotal public hunting community or DM your local ISAC coordinator. Let’s continue to refine IOCs and protect our ecosystems together.