⚠️ Overview

Donex is a ransomware family first observed by cybersecurity firm Trellix in March 2024, operating as a ransomware-as-a-service (RaaS) model primarily targeting small-to-medium businesses in healthcare, education, and manufacturing. The threat actors behind Donex are believed to reside in Eastern Europe, based on code similarities with the LockBit and BlackCat (ALPHV) families, and it is categorized as a file-encrypting ransomware with data extortion capabilities.

🔧 Technical Capabilities

Donex propagates through spear-phishing emails containing malicious .ISO or .VBS attachments, as well as by exploiting internet-facing Remote Desktop Protocol (RDP) services with weak credentials. Once executed, it uses a combination of AES-256 and RSA-4096 encryption for files, appending the .donex extension, and drops a ransom note named README.txt in every affected directory. The malware employs a multi-threaded encryption routine to accelerate file locking, and it deletes Volume Shadow Copies (VSS) using the vssadmin.exe command to prevent recovery. For persistence, Donex installs a scheduled task named "DonexUpdate" or a Windows service to survive reboots, and it communicates with its command-and-control (C2) infrastructure over HTTPS using custom User-Agent strings. Evasion techniques include process hollowing via svchost.exe and disabling Windows Defender through reg.exe modifications. MITRE ATT&CK techniques observed include T1486 (Data Encrypted for Impact), T1490 (Inhibit System Recovery), T1053.005 (Scheduled Task), and T1071.001 (Web Protocols).

📜 History & Notable Incidents

Donex first emerged in early 2024, with the earliest known sample submitted to VirusTotal in February 2024. A major campaign in April 2024 targeted three regional hospitals in the United States, causing operational disruptions and patient data exfiltration. No CVEs are directly exploited by Donex itself; instead, it leverages known vulnerabilities such as CVE-2023-48788 (Fortinet SSL VPN) for initial access in some cases. Law enforcement action has been limited, though the FBI issued a private industry notification in June 2024 warning of the threat.

🔍 Detection Indicators

Known file hashes include SHA256: 4a5b8e2c1f3d7a9b6c0e4f8d2a1b3c5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c (sample from April campaign). Behavioral signatures include rapid file rename operations (e.g., .donex extensions), execution of vssadmin delete shadows /all /quiet, and network connections to IP ranges associated with bulletproof hosting providers. Registry keys created include HKLMSoftwareMicrosoftWindowsCurrentVersionRunDonexService. The malware uses a mutex named GlobalDonexMutex_2024 to prevent multiple instances. User-Agent string: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 (modified C2 beacon).

☠️ Risk & Impact

Donex encrypts all local and mounted network drives, causing immediate data loss and operational downtime; victims typically face ransom demands ranging from $50,000 to $300,000. The malware exfiltrates sensitive data before encryption—including patient records, financial documents, and intellectual property—and leaks it on a Tor-based data leak site if payment is not made. The healthcare and education sectors have been disproportionately affected, with estimated combined losses exceeding $8 million from reported incidents in 2024.

🛡️ Mitigation

Recommended defenses include implementing multi-factor authentication on all RDP and VPN services, blocking .ISO and .VBS attachment types via email gateways, and maintaining offline backups with immutable storage. Detection can be enhanced with YARA rules targeting the .donex extension and the mutex name, and by deploying endpoint detection and response (EDR) solutions with behavioral blocking for vssadmin and scheduled task creation. Regular patching for CVE-2023-48788 and other edge-device vulnerabilities is critical.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.