Pierluigi Paganini
July 09, 2024
Avast researchers identified a cryptographic flaw in the DoNex ransomware and its predecessors that allowed them to develop a decryptor. The experts revealed the weakness during the Recon 2024 conference.
Avast also released a decryptor that allows victims to recover their files for free since March 2024.
“All brands of the DoNex ransomware are supported by the decryptor.” reads the announcement. “DoNex uses targeted attacks on its victims and it was most active in the US, Italy, and Belgium based on our telemetry.”
In cooperation with law enforcement, the company has been silently providing the decryptor to the victims to prevent ransomware author to learn about the way the decryptor was developed.
DoNex is a rebrand of Muse and DarkRace ransomware, it first appeared in the threat landscape in April 2022.
Like other ransomware, the entire file is encrypted for small files (up to 1 MB). For files greater than 1MB, the ransomware uses intermittent encryption. Each file is split into blocks that are encrypted separately.
Samples of the DoNex ransomware and its previous versions contain XOR-encrypted configurations. These configurations include settings for whitelisted extensions, whitelisted files, services to kill, and other encryption-related data.
The decryptor for DoNex ransomware is available for free here. The researchers strongly recommend using the 64-bit version of the decryption tool because the password-cracking process requires a lot of memory.
As usual, experts recommend backing up encrypted files before using the decryption tool in case anything goes wrong during the decryption process.
The researchers also provided Indicators of Compromise (IOCs) for this threat.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)
