Threat Research

Ransomware Roundup – KageNoHitobito and DoNex | FortiGuard Labs

Fortinet

FortiGuard Labs analyzed two recent ransomware families: KageNoHitobito, which encrypts only local drives and appends a “.hitobito” extension, and DoNex (likely derived from DarkRace), which encrypts both local disks and network shares and uses a configurable profile to exclude files/folders and terminate backup/DB/antivirus processes. Both families drop text ransom notes directing victims to TOR/TOX/email communication channels and are detected by FortiGuard signatures. #KageNoHitobito #DoNex

Keypoints

  • KageNoHitobito first appeared in late March 2024, encrypts only local drives, and appends the “.hitobito” extension to encrypted files.
  • KageNoHitobito drops a desktop ransom note named “KageNoHitobito_ReadMe.txt” and instructs victims to use a TOR AbleOnion chat platform for contact.
  • DoNex emerged around February–March 2024, encrypts both local disks and network shares, and appends a victim ID to filenames while changing file icons.
  • DoNex behavior is driven by a configuration file that lists excluded extensions, files, and folders; it also terminates processes (e.g., sql, oracle, chrome, veeam, outlook) and services (e.g., vss, msexchange, sophos, veeam) and deletes shadow copies.
  • DoNex operates a TOR data-leak site and shares configuration similarities with DarkRace, suggesting code or actor overlap.
  • FortiGuard detects these families as MSIL/Filecoder.BCL!tr.ransom and W32/Agent.AEUZ!tr.ransom and provides AV/EDR protections; multiple SHA2 file hashes are published as IOCs.

MITRE Techniques

  • [T1486] Data Encrypted for Impact – The malware “encrypts files on victims’ machines” and appends extensions such as “.hitobito” or a “[victim ID]” to affected files: [‘encrypts files on victims’ machines’, ‘files encrypted by the ransomware have a “.hitobito” extension’, ‘adds a victim ID as a file extension to the affected files’]
  • [T1204] User Execution – Samples were likely distributed via file-sharing as fake software or cheats to lure victims into execution: [‘made the malware available on file-sharing services as fake software or game cheats and lured victims to these locations.’]
  • [T1090] Proxy / [T1572] Protocol Tunneling – Adversaries instruct victims to connect via TOR and use AbleOnion/TOX chat for negotiation, using anonymizing networks for communications: [‘visit a TOR site’, ‘join a chat room’, ‘contact via a TOR site, TOX chat, or email’]
  • [T1490] Inhibit System Recovery – DoNex is “configured to delete shadow copies,” preventing recovery from Volume Shadow Copies.
  • [T1489] Service Stop or [T1562.001] Disable or Modify Tools – DoNex terminates processes and services related to databases, backup, browsers, and antivirus (e.g., sql, oracle, veeam, chrome, sophos) to disrupt remediation and backups: [‘It terminates the following processes listed in :’ , ‘It terminates the following services listed in :’]
  • [T1601] Weaken Encryption? (Configuration-driven behavior) – DoNex uses a configuration file to control targets and exclusions, dictating encryption scope and exclusions: [‘The actions of DoNex ransomware are dictated by a configuration file set by the threat actor.’]

Indicators of Compromise

  • [SHA256 hashes] Ransomware binaries – Hitobito examples: 8939bfe20bc6476806d22c8edfcaba5c36f936b893b3de1c847558502654c82f, 1940fcdb2561c2f7b82f6c44d22a9906e5ffec2438d5dadfe88d1608f5f03c33 (and 3 more Hitobito hashes)
  • [SHA256 hashes] DoNex / DarkRace binaries – DoNex examples: 0adde4246aaa9fb3964d1d6cf3c29b1b13074015b250eb8e5591339f92e1e3ca, 6d6134adfdf16c8ed9513aba40845b15bd314e085ef1d6bd20040afd42e36e40 (and additional DoNex/DarkRace hashes)
  • [File names] Ransom notes and dropped files – “KageNoHitobito_ReadMe.txt”, “Readme.[victim ID].txt” (used to instruct victims to contact via TOR/TOX/email)
  • [File extension as IOC] Encrypted file marker – “.hitobito” extension for KageNoHitobito and appended “[victim ID]” extension for DoNex-encrypted files

KageNoHitobito and DoNex technical summary: KageNoHitobito encrypts only local volumes, appending “.hitobito” to modified files, skips common system and executable extensions (.dat, .dll, .exe, .ini, .log, .sys), and contains a time-based enforcement that halts operation if the host date is more than 14 days after March 21, 2024. It drops a desktop ransom note “KageNoHitobito_ReadMe.txt” that directs victims to a TOR AbleOnion chat room for contact. Sample distribution suggests initial access via public file-sharing portals posing as software/game cheats, implying T1204 user execution as a likely vector.

DoNex is configuration-driven: its config flags enable encryption of local disks and network shares, specify extensive whitelists of extensions, files, and folders to exclude (e.g., windows, program files, tor browser, $recycle.bin), and enumerate processes and services to terminate (examples include sql, oracle, mysq, chrome, firefox, excel, outlook, veeam, vss, msexchange, sophos). The ransomware appends a victim ID to filenames, alters file icons, deletes Volume Shadow Copies to inhibit recovery, and drops “Readme.[victim ID].txt” directing victims to TOR/TOX/email channels. The configuration and ransom-note similarity to DarkRace indicate shared code or operator overlap.

Defensive and forensic artifacts: collect and triage the published SHA256 hashes for binary identification, capture dropped ransom note filenames and file extension patterns (.hitobito or victim-ID suffix), look for evidence of shadow copy deletion and terminated backup/DB/AV processes, and investigate initial access via file-sharing downloads or user-executed installers. FortiGuard detections cited include MSIL/Filecoder.BCL!tr.ransom and W32/Agent.AEUZ!tr.ransom for blocking these families.

Read more: https://feeds.fortinet.com/~/882489596/0/fortinet/blog/threat-research~Ransomware-Roundup-KageNoHitobito-and-DoNex