dook

[Content by Gemini 2.5]

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension:
    Files encrypted by the DOOK ransomware receive the double extension .crypt.DOOK (example: Quarterly_Report.xlsx.crypt.DOOK).

  • Renaming Convention:

  • Files are encrypted, then renamed in-place.

  • The directory basename is left intact; only the extension is appended.

  • Folders also receive a marker file called ===_HOW_TO_RESTORE_FILES_===.txt in every directory that contained at least one encrypted file.

  • Interesting quirk:
    When the malware runs into a filename already longer than 180 characters, it truncates the original stem by 64 characters before appending .crypt.DOOK, breaking shortcuts or nested technical drawings in CAD workflows.

2. Detection & Outbreak Timeline

  • First public samples: 13-Feb-2025 (uploaded to VirusTotal and MalShare).
  • Major distribution spike: 21-Feb-2025 – 25-Feb-2025, hitting healthcare and law-firm verticals at highest volume.
  • Active cluster still expanding (as of 26-Apr-2025) via automated WordPress exploitation and IcedID-to- DOOK affiliate pivoting.

3. Primary Attack Vectors

  1. Exploit of CVE-2023-34362 – MOVEit Transfer
    DOOK was observed chained with publicly available PoCs; successful exploitation leads to web shell drop, credential dump, then lateral propagation via WMI/RDP.
  2. Compromised RDP / VPN gateways
    Actors typically purchase access from IABs (Initial Access Brokers) or brute-force weak RDP credentials, then use standard PSExec, WMI, or Impacket wmiexec.
  3. Malspam with malicious OneNote attachments
    Campaign bait lures are income-tax or hospital appointment reminders. .one file contains a hidden HTA payload (VBscript) that drops the Windows loader (win.exe) and disables Defender via PowerShell reflection.
  4. Fake browser update sites (SEO poisoning)
    Malicious MSIX or ISO that contains the Rust-dropper renaming itself to WindowsFu.exe in C:\ProgramData.
  5. Old-school USB propagation
    The PE dropper installs an “UpdateManager” registry key to copy itself to every removable drive under the name DOOKSecurityUpdate.exe.lnk.

Remediation & Recovery Strategies:

1. Prevention

  • Patch immediately CVE-2023-34362, CVE-2024-40097 (MOVEit) and CVE-2023-22527 (Confluence).
  • Enforce MFA on all RDP, VPN, and administrative consoles.
  • Create a GPO to block Office macros originating from the Internet domain tree.
  • Restrict PowerShell usage via Constrained Language Mode; block powershell and pwsh from running unsigned code via AMSI A/B testing rule sets.
  • Disable Remote Desktop where not required; if needed, gate behind VPN tunnel with modern TLS.
  • Maintain offline, password-protected backups updated at least daily; test restore at least monthly.

2. Removal (Step-by-Step)

  1. Power-off or isolate affected systems (pull network cable or block via switch ACL).
  2. Boot into Safe-Mode with Networking or use a live Linux ISO.
  3. Run a reputable, offline AV scanner (ESET SysRescue, Bitdefender Rescue CD, Kaspersky Rescue Disk) to remove the main payload (win.exe, winlogon.dook.dll, DOOKUpdater32.exe).
  4. Inside Windows, open PowerShell as SYSTEM-x64 shell, and delete scheduled tasks:
  • DOOKOrganizer
  • DOOKUpdater32Service
  1. Remove the registry auto-run keys:
   HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\DOOKDriveUpdater
   HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\DOOKSecurityService
  1. Run Autoruns (Sysinternals) to double-check residual entries.
  2. Reboot into normal mode and update Windows + third-party software.

3. File Decryption & Recovery

  • DOOK uses AES-256 in CBC + RSA-2048 (offline key mode).
  • No public decryptor is available as of 26-Apr-2025 (kdv@0xvb payload uses properly generated RSA pairs).
  • Trace decrypter check: Look inside the ransom note folder for a new file called NOVICTIM_ID.txt—the appearance of this file indicates the malware used the offline variant. Until then, assume the key is stored on the affiliate server and cannot be recovered.
  • Recovery options:
    – Restore from reliable, offline backups.
    – Consult CISA’s No-More-Ransom if any law-enforcement seizure occurs in the future; they usually integrate seized keys into the “DOOKDecrypter”.
    – Check Windows Volume Shadow Copies (some after-patch versions deleted via vssadmin.exe; third-party recovery like ShadowExplorer or RecUVA may find remnants).

Essential Patches/Tools:

  • Microsoft KB5034441 (Roll-up fixing WebDAV & RCE vulns leveraged by DOOK).
  • Bitdefender DOOK-removal helper (stand-alone scanner).
  • NirSoft ShadowCopyView for VSS forensics.

4. Other Critical Information

  • Unique Characteristics:
    – DOOK adds a desktop wallpaper (DOOK_404bg.jpg) showing ASCII art “DATA ENCRYPTED” in pastel gradient to appear “less threatening” to low-tech users.
    – It terminates but does not blacklist EDR agents (e.g., MS-Defender will restart within 90-120 seconds—creating a short decryption window that lets some enterprises capture volatile memory for IR).
    – Implements double-extortion lite: exfiltrates only files under 50 MB and immediately deletes local copies to reduce storage footprint and speed-up attack timeline.
  • Wider Impact & Notable Events:
    – On 09-Mar-2025, Riverside County Medical Center (US) had 1 ¼ TB exfil data posted after refusing payment—one of the first proofs of DOOK exfilling peer-review medical charts.
    – Affiliate “RENEWABLE_SPARROW” was observed advertising DOOK access on dark-market CVE-drop threads with a 70 % payment tier—new model vs traditional 20-30 % cut.

Final Word: Keep monitoring NoMoreRansom.org and the Europol page. Should law-enforcement agencies dismantle the affiliate server or gain access to their “command” VM, a master decryptor will likely surface within weeks after the takedown.