[Virus/malware activity reported: DODO ransomware]

Due to a breach believed to be in the form of DODO ransomware,
we would like to confirm the situation and provide a warning as follows.

DODO ransomware

The ransomware is called DODO and appears to be changing all files with the file name and extension .crypterdodo.

How it works

file version

[Figure 1 Ransomware executable file compiler information]

[Figure 2 File information in window properties]

Ransomware operation characteristics

• It is built based on .NET (C#), and after the first run, it is re-executed as svchost.exe in Roaming, and a local url file of the corresponding location is created in the startup program folder. By default, the C drive attacks the library folder, and all additional drives other than that are subject to scanning. It makes it difficult to restore existing files after an attack, such as deleting shadow copies using the cmd command / disabling the Windows recovery mode and program error notification window / deleting the backup catalog of the Windows server.

  
  [Figure 3 Ransomware file svchost.exe copied to Roaming folder]

  
  [Figure 4 Dynamic code for creating shortcut URL in startup program folder]

  
  [Figure 5 Shortcut URL file created in the startup program folder]

  
  [Figure 6 Static code to check attack target]

  
  [Figure 7 Multiple restore prevention commands using the cmd command]

Infection results

The desktop is changed, and PLEASEREAD.txt is created in each folder location. When encrypting, files are changed to <file name.extension.crypterdodo>.

[Figure 7 Infection results]

White Defender compatible

It supports real-time automatic restoration of files that will be encrypted before the malicious actions and blocking of White Defender ransomware.

[Figure 8 Block message]

Watch the DODO blocking video