dungeon-0_0

[Content by Gemini 2.5]

Technical Breakdown:

  1. File Extension & Renaming Patterns
    • Confirmation of File Extension: “dungeon-00” (always in lower-case, always contains the hyphen and two underscores).
    • Renaming Convention: Original file is kept, one extra copy is created with the original name followed by “.dungeon-0    0” appended. Example – Budget.xlsx becomes Budget.xlsx.dungeon-0_0. No e-mail, victim-ID, or random string is inserted – simple double-extension only.

  2. Detection & Outbreak Timeline
    • Approximate Start Date/Period: First cluster reported 2023-06-28 (by ID-Ransomware and Emsisoft submissions from Latin-America). Wider campaign waves observed July-Oct 2023. No Russia/Ukraine overlap – campaign localized to ES/PT-speaking regions and later South-East Asia.

  3. Primary Attack Vectors
    • Phishing attachments – ISO, IMG or password-protected ZIPs containing NSIS installer that drops “instalador.exe” (internal name “DungeonBuilder”).
    • Google Ads & SEO-poisoning to fake software sites (Adobe Reader, 7-Zip, AnyDesk) – MSI wrapped around the same dropper.
    • Exploitation of public-facing Netlogon (CVE-2020-1472) followed by PsExec to push out “d0_service.exe”.
    • RDP brute-forcing with reused/compromited credentials; once inside the actor runs “.\Setup\dungeon.exe /force” to encrypt.
    • Optional lateral spread by SMB, but no EternalBlue (no MS17-010 usage seen yet).

Remediation & Recovery Strategies:

  1. Prevention
    • Patch CVE-2020-1472 (Netlogon), disable SMBv1 and enforce NLA with MFA on every RDP endpoint.
    • Apply 2022-11 cumulative Windows patch (enforces SMB signing) to stop relay attacks it chains after Netlogon.
    • Mail-filter rule to quarantine ISO/IMG (or at least require admin approval).
    • Use GPO to block EXE launch from %TEMP%, %LOCALAPPDATA% and “Downloads”.
    • Enable Windows ASR rules (Block credential stealing, Block process creations from Office, Block JS/VBS launching).
    • Comprehensive, off-site, versioned backups (3-2-1 rule) tested once a quarter.

  2. Removal (step-by-step)

  3. Physically disconnect affected host(s); power-off if crypto still running (disk-light churn + one core at 100% → “dungeon.exe”).

  4. Boot another OS (Windows-PE / Linux install USB) and copy out an offline image of the disk before you let Windows start again (optional for forensics).

  5. Use fresh “rescue” media created on a clean PC:
    • ESET Rescue Disk (v12+) or Bitdefender CD → detects “Win32/Filecoder.Dungeon.A” and removes persistence “HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Scheduler” = “..dungeon.exe /load”.
    • If powered up normally, go straight to Safe-Mode-with-Networking, install Malwarebytes 4.6+ or Emsisoft Emergency Kit 2024-02; full scan → reboot → rescan.

  6. Import Microsoft firewall GPO that re-enables default RDP block; revoke every local-admin account that was newly created (log created during the Netlogon phase is user “serviciomgr”).

  7. Re-enable Windows Defender tamper-protection and check that “Real-time” and “Cloud-delivered” are ON.

  8. Do NOT pay before you verified that System-restored recovery points are enabled (ransomware deletes VSC).

  9. File Decryption & Recovery
    • No flaw discovered so far, ChaCha20 key (256-bit) is generated per-file, encrypted with RSA-2048 (offline public key) and wiped from memory after reuse.
    • No free decryptor exists. (Checked Kaspersky, Avast, NoMoreRansom, DecrypteParis, Emsisoft and SCILabs 2024-04-15).
    • Only possible paths:
    a) Full restore from offline backups.
    b) Data rebuilt from shadow volumes (ransomware runs vssadmin Delete Shadows, but if you catch it mid-run or you used 3rd-party snapshot solutions, you may recover).
    c) Paid decryption is reported to work (sample size 6/6 on ID-R), but attribution criminality discourages payment and gives no 100% guarantee.
    • Essential patches/tools: Defender update KB5022405+ (adds dungeon.exe sigs); SentinelOne 23.4+ (behaviourally blocks ChaCha + RSA stage); ShadowProtect/ARX to protect VSS backups through password.

  10. Other Critical Information
    • The actor’s screen locker pops a Portuguese ransom note called “LEIA-ME-PARA-DESCONECTAR.txt” threatening DDoS of the corporate website if police are contacted.
    • Files that end in .msi, .dll, .sys, and files with Portuguese names “Pagina”、“Config”、“Recibo” are intentionally skipped – likely the intruder avoids BR/PT machines they later want to resell.
    • CRC32 of ransom binary (dungeon.exe) changes every week, so hash-only IOC blocking is unreliable – rely on behaviour (ChaCha20 permutation routine) or above ASR rules.
    • Broader impact: Brazilian logística & municipal systems hit in Aug-23; downtime average 9 days; ransom ≈ 0.31 BTC. TLPCLEAR + U.S. cybersecurity advisory (Alert AA23-214A) lists it as a regional ransomware but expects international spread “in the next campaign wave”.

Contain early, backup systematically, patch Netlogon, and stay vigilant for “dungeon-0_0” IOCs dropping between July-October each year.