DoNex attacks Van der Helm

Incident Date:

March 8, 2024

World map



DoNex attacks Van der Helm


Van der Helm




Den Hoorn, Netherlands

, Netherlands

First Reported

March 8, 2024

Van der Helm Targeted by DoNex Ransomware Group

Van der Helm has been attacked by DoNex ransomware group. The attack allegedly exfiltrated 39 GB of data, including miscellaneous documents such as invoices, agreements, personal documents, financial data, and so on. Van der Helm is a family business that was founded in 1936. To this day, it offers customized logistics solutions. It has knowledge and capacity in transport, warehousing, and customs formalities.

DoNex: A New Threat on the Horizon

DoNex is a new ransomware group actively targeting entities in the United States and Europe. The group has begun listing companies as its victims on its dark web portal, accessible via the Onion network. The group’s tactics are especially insidious, employing a double-extortion method, which encrypts files, which are then appended with a unique VictimID extension. The group also exfiltrates sensitive data and holds it hostage to leverage additional pressure on the victims to pony up the ransom.

Modus Operandi of DoNex

In line with the typical behavior of ransomware groups, after encrypting the files, DoNex generates a ransom note on the victim's computer. This note usually appears as either a text file or a pop-up window and includes detailed instructions on how to pay the ransom to get the decryption key. Victims have discovered ransom notes named Readme.VictimID.txt on their systems, which instruct them to establish contact with the DoNex group through Tox messenger, a peer-to-peer instant messaging service known for its security and anonymity features.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.