In February of this year, the emergence of DoDo ransomware was initially reported. This ransomware variant is a spinoff from the widely recognized Chaos ransomware
that has been extensively studied. Despite its connection to Chaos, DoDo ransomware isn't classified as a novel strain. Nevertheless, a slightly altered version of DoDo ransomware has recently come to light, and the details of this variant are outlined below.
Distinctive indicators of DoDo ransomware involve the presence of the "Mercurial Grabber" file icon, implying a probable distribution method. This file icon is linked to Mercurial Grabber, an open-source tool utilized to construct malicious software aimed at extracting sensitive data like Discord tokens, system particulars, Windows product keys, and Chrome passwords from targeted systems.
Recent instances of the DoDo ransomware have been identified in samples submitted for analysis from various countries, including France, Germany, India, China, the United Kingdom, and Peru. In the past, older versions were observed in submissions originating from countries such as the Philippines, the United States, France, Spain, Sweden, Germany, the United Kingdom, Turkey, Australia, Brazil, Serbia, and Bulgaria.
The manipulation of legitimate apps and tools to mask malicious intent is a well-established method in cybercrime. In this instance, the DoDo ransomware is camouflaged as the notorious Mercurial Grabber application. This suggests that the intended victims are likely either malicious actors or inquisitive users. The widespread sources of submissions for this ransomware are quite astonishing, implying that people globally have somehow accessed and downloaded copies of this fraudulent Mercurial Grabber builder.
It's noteworthy that the file icon can be easily altered, allowing the ransomware to pose as other applications. This emphasizes the importance for users to exercise caution when downloading and utilizing software from the internet.
While the newer and older variations of DoDo ransomware exhibit minor differences in ransom notes and appended file extensions for encrypted files, they share two common traits: all DoDo ransomware instances were generated using Chaos Builder version 3, released in mid-2021, and they all funnel ransom payments to a single Bitcoin address. However, there's a limitation with Chaos Builder 3 – it can only encrypt files smaller than 1 MB. Files surpassing this size are overwritten, rendering recovery impossible unless backups are available. Essentially, DoDo ransomware functions as a data destroyer for larger files, as even complying with the ransom doesn't guarantee full file restoration.
In the earlier iterations of DoDo ransomware, a ransom note named "dodov2_readit.txt" was dropped, accompanied by a ".dodov2" extension appended to encrypted files. The ransom demand was set at $15 worth of Bitcoin or Monero (XMR).
In contrast, recent samples of DoDo ransomware present a distinct ransom note labeled "PLEASEREAD.txt." Encrypted files bear the ".crypterdodo" extension, and the ransom message is also displayed as the desktop wallpaper. The ransom amount remains at $15 worth of Bitcoin or Monero (XMR). The attacker has gone a step further by providing a contact email address, presumably to enhance "customer" service. Additionally, the Monero address differs from the addresses used in the older variants.
The Bitcoin address linked to the DoDo ransomware has been involved in over 40 transactions since May 2022. However, most incoming transactions were below $10, raising questions about their association with ransom payments. Information regarding Monero addresses was unavailable during the investigation.
DoDo Ransomware Signatures
DoDo Ransomware Download