Audio Posts In English

Avast released a decryptor for DoNex Ransomware and its predecessors

Avast developed and released a decryptor for the DoNex ransomware family that allows victims to recover their files for free.

Avast researchers identified a cryptographic flaw in the DoNex ransomware and its predecessors that allowed them to develop a decryptor. The experts revealed the weakness during the Recon 2024 conference.

Avast also released a decryptor that allows victims to recover their files for free since March 2024.

“All brands of the DoNex ransomware are supported by the decryptor.” reads the announcement. “DoNex uses targeted attacks on its victims and it was most active in the US, Italy, and Belgium based on our telemetry.”

In cooperation with law enforcement, the company has been silently providing the decryptor to the victims to prevent ransomware author to learn about the way the decryptor was developed.

DoNex is a rebrand of Muse and DarkRace ransomware, it first appeared in the threat landscape in April 2022. 

DoNex ransomware

Upon execution, an encryption key is generated by CryptGenRandom() function. The malicious code uses the key to initialize ChaCha20 symmetric key and subsequently encrypt files. Once a file is encrypted, the symmetric file key is encrypted by RSA-4096 and appended to the end of the file. The files are picked by their extension, and file extensions are listed in the ransomware XML config.

Like other ransomware, the entire file is encrypted for small files (up to 1 MB). For files greater than 1MB, the ransomware uses intermittent encryption. Each file is split into blocks that are encrypted separately.

Samples of the DoNex ransomware and its previous versions contain XOR-encrypted configurations. These configurations include settings for whitelisted extensions, whitelisted files, services to kill, and other encryption-related data.

The decryptor for DoNex ransomware is available for free here. The researchers strongly recommend using the 64-bit version of the decryption tool because the password-cracking process requires a lot of memory.

As usual, experts recommend backing up encrypted files before using the decryption tool in case anything goes wrong during the decryption process.

The researchers also provided Indicators of Compromise (IOCs) for this threat.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)