Threat Research

Ransomware Roundup – DoDo and Proton | FortiGuard Labs

Securonix

FortiGuard Labs’ bi-weekly Ransomware Roundup covers the DoDo and Proton variants, detailing their infection vectors, encryption behavior, and observed indicators, along with Fortinet protections and recommended defenses. The report highlights DoDo as a Chaos ransomware derivative using Masquerading and Mercurial Grabber, and Proton as a newer Windows-focused family with multiple variants and contact methods for ransom, plus guidance for defense.
#DoDo #Proton #MercurialGrabber #ChaosBuilder #FortiGuard #Fortinet

Keypoints

  • Fortinet’s Ransomware Roundup analyzes DoDo and Proton ransomware variants targeting Windows users and classifies the impact as High.
  • DoDo is a Chaos ransomware derivative that is masquerading as Mercurial Grabber, an open-source infostealer builder.
  • Mercurial Grabber can steal Discord tokens, machine information, Windows product keys, and Chrome passwords from victims’ machines.
  • Older DoDo variants used dodov2_readit.txt and .dodov2; newer variants use PLEASEREAD.txt and .crypterdodo with changed Bitcoin/Monero handling and wallpaper changes.
  • The Proton ransomware encrypts files, adds a .[attacker].Proton extension, drops ransom notes, and changes desktop wallpaper, with multiple variants and contact methods.
  • Fortinet provides protections via AV signatures and FortiEDR, and offers guidance on phishing awareness, backups, Zero Trust, and incident response services.

MITRE Techniques

  • [T1036] Masquerading – The DoDo ransomware samples are masquerading as the Mercurial Grabber application; the article notes: “The masquerading of free apps and tools is a classically simple yet effective attack vector used by cybercriminals for years. However, in this case, the DoDo ransomware is masquerading as the nefarious Mercurial Grabber application…”
  • [T1003] Credential Access – Mercurial Grabber’s built-in functions can steal credentials such as “Discord tokens, machine information, Windows product keys, and Chrome passwords” from victims’ machines: “…infostealer configured to steal information such as Discord tokens, machine information, Windows product keys, and Chrome passwords…”
  • [T1486] Data Encrypted for Impact – DoDo and Proton encrypt files and demand ransom; DoDo notes: “The newer DoDo variants drop a ransom note labeled ‘PLEASEREAD.txt,’ add a ‘.crypterdodo’ extension to the encrypted files, and replace the desktop wallpaper with the same ransom message. The ransom demand is still $15 worth of Bitcoin or Monero (XMR).”
  • [T1566.001] Phishing – Fortinet guidance notes that “the majority of ransomware is delivered via phishing,” underscoring phishing as a common initial access vector.

Indicators of Compromise

  • [SHA2] File hashes – 8727091cbb89e5e31eeb2503ffaa242601c8840eee0973fd62fedf1b4b58ab44, f912cd2a6cd21e828dc32b97eac0ce9b2c4e8d5a7944deaa4bd61f41ab8e1997, and 15 more hashes

Read more: https://www.fortinet.com/blog/threat-research/ransomware-roundup-dodo-and-proton