FlagThis

Cyble Research and Intelligence Labs (CRIL) has uncovered a new ransomware operation dubbed "DOGE BIG BALLS Ransomware." This campaign uses a finance-themed ZIP file named "Pay Adjustment.zip" to trick users into executing malicious shortcut files. These files then trigger multi-stage PowerShell scripts, ultimately delivering custom payloads that include a kernel-mode exploit tool and reconnaissance modules. The ransomware itself is a modified version of Fog, further customized with a provocative name that references a known public figure.

The attention-grabbing name is likely a deliberate attempt to misdirect attention and create confusion, potentially questioning the effectiveness of governmental cybersecurity efforts. Despite the name's provocative nature, the attack mechanism is relatively simple. The ransomware is typically distributed via a compressed ZIP file, sometimes disguised as a PDF document. Once opened, the malicious payload bypasses traditional security defenses using obfuscation and anti-detection techniques.

The DOGE Big Balls ransomware attack highlights the evolving tactics of cybercriminals, blending technical sophistication with psychological manipulation. It also demonstrates the increasing trend of ransomware attacks targeting the healthcare sector, as seen with the recent attack on DaVita, a Denver-based dialysis firm. This incident underscores the critical need for organizations to bolster their cybersecurity defenses and incident response capabilities to protect sensitive data and maintain operational continuity.

ImgSrc: thecyberexpress

References :

• cyble.com: This attack leverages a ZIP file with a deceptive LNK shortcut to silently execute a multi-stage PowerShell-based infection chain, ensuring stealthy deployment. A vulnerable driver ( ) is exploited through a Bring Your Own Vulnerable Driver (BYOVD) technique to gain kernel-level read/write access for privilege escalation. The payload is a customized version of Fog ransomware, branded as "DOGE BIG BALLS Ransomware," reflecting an attempt to add psychological manipulation and misattribution. Ransomware scripts include provocative political commentary and the use of a real individual's name and address, indicating intent to confuse, intimidate, or mislead victims. The malware uses router MAC addresses (BSSIDs) and queries the Wigle.net API to determine the victim’s physical location—offering more accurate geolocation than IP-based methods. Extensive system and network information, including hardware IDs, firewall states, network configuration, and running processes, is collected via PowerShell, aiding attacker profiling. Embedded within the toolkit is a Havoc C2 beacon, hinting at the threat actor’s (TA's) potential to maintain long-term access or conduct additional post-encryption activities.
• Davey Winder: DOGE Big Balls Ransomware Attack — What You Need To Know
• thecyberexpress.com: TheCyberExpress: DOGE BIG BALLS Campaign Blurs Lines Between Exploitation, Recon, and Reputation Damage
• www.cybersecurity-insiders.com: DOGE Big Balls Ransomware turns into a big cyber threat
• www.cybersecurity-insiders.com: DOGE Big Balls Ransomware turns into a big cyber threat
• www.cysecurity.news: CySecurity: DOGE Big Balls Ransomware turns into a big cyber threat
• seceon.com: The TraderTraitor Crypto Heist: Nation-State Tactics Meet Financial Cybercrime

Classification:

• HashTags: #Ransomware #Cybersecurity #DOGE
• Company: Cyble
• Target: Organizations
• Attacker: DOGE
• Product: Ransomware
• Feature: Ransomware Analysis
• Malware: DOGE BIG BALLS Ransomware
• Type: Ransomware
• Severity: Major