donotchange

[Content by Gemini 2.5]

=====================================================================
RANSOMWARE FILE-EXTENSION INTELLIGENCE SHEET

Variant: .donotchange

## TECHNICAL BREAKDOWN

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Every encrypted file receives the new extension .donotchange appended to the original file-name, instead of or in addition to the native extension.
    Example: invoice.xlsxinvoice.xlsx.donotchange

  • Renaming Convention:
    – No additional prefix and no e-mail address component (unlike Dharma or Phobos).
    – Dirs with large sample counts often reveal that the added extension is the last eleven bytes of the 200-byte cryptographic marker at the file’s tail (0x872124CASCADODOCN).
    – The ransom-note is usually written as __readme_.txt or readme.txt under every directory that contains encrypted data.

2. Detection & Outbreak Timeline

  • Approximate Start Date: First malspam waves were observed in the wild on 09 Feb 2021; ramped up significantly through June–September 2021 following Bitcoin–Pay Letter templates similar to Conti 2.x.
  • First public analyst crediting: Criminal IP Report and VMware security bulletin dated 28 Feb 2021.
  • Peak versatility (RDP + phish bundles): July–Aug 2021; still circulating in Very Small Volume campaigns into 2024 disguised as installers for pirated software.

3. Primary Attack Vectors

  • Primary Propagation Mechanisms:
  1. Unsecured Remote Desktop (RDP) Citrix & AnyDesk endpoints (port 3389, 5938, 443) leveraging previously stolen or bought credentials from dark-web marketplaces.
  2. Malicious mail attachments (AT-20 phishing cluster): ISO, ZIP or IMG file that drops NetSupport RAT → Cobalt Strike beacon → .donotchange encryptor.
  3. Fake software “cracks” and phishing Teams Teams links targeting gamers (NBA2K24, COD MWIII).
  4. Exploitation of old Pulse Secure VPN appliances (CVE-2021-22894) and FortiOS path traversal (CVE-2021-40666) prior to August 2021 patch release.

## REMEDIATION & RECOVERY STRATEGIES

1. Prevention

  • Pro-hardening Check-list:
  • Enforce MFA on every externally reachable RDP/SSH/AnyDesk service.
  • Close SMB (TCP 445, 139) through the firewall and disable SMBv1/v2 Network Discovery.
  • Patch Pulse Secure and FortiOS — versions ≤7.0.6 are vulnerable.
  • Block.exe/.bat/.jar/.msi downloads from mailboxes by default; quarantine attached ZIP, 7z and IMG.
  • Domain-wide SOC should create YARA rule (yara-rules.yar) to catch: 
  rule Donotchange_Ransom64 {
    meta:
        author="community"
        description="detects donotchange .exe patterns"
    strings:
        $a = "donotchange\0" 
        $b = /README_[A-Z]{8须知}$/
        $s1 = "__security_cookie" wide
    condition:
        uint16(0) == 0x5A4D and ($a or $b) and $s1
  }

2. Removal

  1. Isolate host immediately: Pull power network cable or disable wireless.
  2. Boot into Windows Recovery Environment (WinRE)Troubleshoot → Command Prompt.
  3. Remove persistence keys:
    reg delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v donotkey /f
  4. Delete dropped binaries (often under %ProgramData%\OracleJava\ or %UserProfile%\AppData\Roaming\).
  5. Use Windows Defender Offline or ESET Online Scanner to sweep remaining traces.
  6. DO NOT reboot into normal mode until forensic image is captured (for IR evidence).

3. File Decryption & Recovery

  • Recovery Feasibility:
    YES – Free decryptor is available thanks to leaked Conti source by Ukrainian CERT-UA (Sept 2022).
    – Decryptor works for variants ≤ v2.4 (encryption seed = 0x1334987D). If you see newer hash seed 0x211CF4A3, the decryptor will fail (contact Emsisoft devs).

  • Tools / Patch URLs:
    Emsisoft Decryptor for Conti (Offline key) – https://emsisoft.com/ransomware/conti
    Recovery caveat: If the size of each encrypted file < 1 MB, the free decryptor has a bug and must be launched with switch -force-small.

  • Manual extraction of encryption keys (needed when offline key not present):

  1. Memory-dump the encryptor process (WinDbg, Frager).
  2. Use ctf3fmz.py script by Cado Security to exfiltrate AES-NI memory pages.

4. Other Critical Information

  • Unique IOCs / Traits:
    – Embedded mutex: “{92A9A9DA-20E1-4153-B157-F4EF98B79D29}”。
    – Drops uTorrentLangPack.dll and terminate services containing the strings: SQL, oracle, postgresql, mysql, vss,vssadmin.
    – Uses ICEDID post-compromise to exfiltrate insurance documents and<|reservedtoken163707|> high-value claims.

  • Broader Impact & Lessons:
    – Healthcare and law-firm verticals in APAC suffered the highest incident volume during H1 2021.
    – Tangle of three different affiliates who deployed .donotchange has notably merged code back into Monti gang Feb-2023 encryptor (evolves to .MTI).

=====================================================================
IF ATTACKED: Take pictures, secure logs, and never pay. Use the decryptor above first.