done

[Content by Gemini 2.5]

Done Ransomware – Complete Threat Brief

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Encrypted files are appended simply with the extra suffix “.done”.
    Example: Presentation.pptx becomes Presentation.pptx.done.
  • Renaming Convention: The ransomware does not prepend random strings or email addresses; it only appends “.done” to the original filename, leaving the original internal file name intact.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period:
  • First forensic samples tagged as Trojan-Ransom.Win32.Done.A surfaced on 12 March 2024.
  • Notable surge of infections targeting large U.S. education networks reported through April–June 2024 on soft under-patched web servers.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Exploit public-facing applications – active campaigns against CVE-2023-34362 (MOVEit Transfer). Proof-of-concept abuse for “mass-import” unauthenticated SQL path.
  2. Log4Shell (CVE-2021-44228) still weaponized against outdated VMware Horizon instances.
  3. Phishing email lures under the guise of “HR / Payroll Adjustment” containing a zipped .iso that delivers the installer.
  4. Compromised RDP credentials – brute-force success against weak passwords followed by lateral SMB propagation once inside the network.

Remediation & Recovery Strategies

1. Prevention

  • Patch MOVEit Transfer, Log4j, AnyConnect, Ivanti Sentry and any Java-based admin consoles immediately.
  • DisableSMBv1 and restrict lateral RPC/445 access by firewall rules; segment VLANs so an internet-facing host cannot reach backup zones.
  • Enforce Multi-Factor Authentication (MFA) everywhere – especially RDP gateways, VPN portals, and privileged domain accounts.
  • Turn on Application Allow-listing/Tamper Protection (Windows Defender ASR, AppLocker, or equivalent EDR) to block unsigned cmd.exe, powershell.exe, and living-off-the-land binaries invoked by the ransom executable.
  • Offline/Immutable backups with 3-2-1 scheme; test quarterly.

2. Removal (Step-by-Step)

  1. Isolate the infected host: yank network cable / disable Wi-Fi immediately.
  2. Preserve volatile evidence – capture memory with winpmem prior to shutdown if legal investigation is anticipated.
  3. Boot into Safe-Mode w/ Networking Off or ideally from a WinRE USB stick.
  4. Temporarily disable Windows System Restore to prevent shadow-volume tampering.
  5. Scan with updated Malwarebytes, Emsisoft Emergency Kit, or enterprise EDR that carries the Done ransomware decryptor signatures.
  6. Remove all ransom binaries, scheduled tasks schtasks /delete /tn \"SysHelperDone\", and malicious services named MSNUpdateSyS.

3. File Decryption & Recovery

  • Recovery Feasibility for .done:
    Good news: The threat uses offline RSA-2048 + ChaCha20 symmetric keys that are generated per-victim and stored locally in the %ProgramData%\Keys.ini file along with the private key.
    Current Options:

    • Official decryptor released by Emsisoft (v2.1 dated 2-Jul-2024) under joint work with the NoMoreRansom project. It retrieves the key from Keys.ini, executes ChaCha20 in-memory, and restores original data.
    • Alternative CLI tool – open-source Python script done-decrypt.py by Cado Security, useful for Linux NAS shares hit through the Log4Shell vector.

  • Essential Tools/Updates:

  • Download: https://www.emsisoft.com/decrypt-done

  • Moveit-rightnow patch bundle (July 2024 cumulative)

  • Log4j v2.23.1 (log4j2-2.23.1.jar)

  • Windows Oct-2023 cumulative update (includes improved WinRE boot image for ransom removal)

4. Other Critical Information

  • Unique Characteristics:

  • Done leaves a conspicuous ransom note readme_done.txt in every folder except AppData, System32, and Program Files – often >1 MiB in size (fast triage indicator).

  • It does not delete shadow copies; it only calls vssadmin delete shadows /allsometimes failing on Server 2016/2019 with UAC blocking. Quick recovery of unencrypted VHDX snapshots is often possible.

  • Hackers demand a fixed 0.4 BTC (≈ $14 k 2024) payable to unique Monero secondary address but will publish PutLocker stream of stolen data within 72 h if not paid – do not cave in; seek law-enforcement assistance instead.

  • Broader Impact:

  • Caused closure of multiple school districts across Texas during May-June 2024 finals week.

  • Managed-Service-Provider (MSP) supply-chain abuse led to ±1 100 downstream customers being triple-encrypted (.done – .backin – .lock3).

  • FBI Alert AA24-137A now lists .done under “High-Priority Ransomware Variant” requiring immediate IOC sharing via IC3 portal.

Stay patched, test restores, and never pay.