A cryptographic weakness in the DoNex ransomware and its previous incarnations – Muse, fake LockBit 3.0, and DarkRace – has allowed Avast researchers to create a decryptor for files encrypted by all those ransomware variants.
DoNex ransom note (Source: Avast)
“In cooperation with law enforcement organizations, we have been silently providing the decryptor to DoNex ransomware victims since March 2024,” the company’s Threat Research Team has shared on Monday.
About DoNex
The DoNex ransomware actor appeared in early March 2024 and claimed several companies as victims.
Other researchers have shared their analysis of the malware, as well.
“DoNex uses targeted attacks on its victims and it was most active in the US, Italy, and Belgium based on our telemetry,” Avast researchers noted.
“Since April 2024, DoNex seems to have stopped its evolution, as we have not detected any new samples since. Additionally, the TOR site of the ransomware has been down since that point.”
Using the decryptor
Files encrypted via the DoNex ransomware get a unique extension (victim ID number), and the file with the ransom note is named Readme.victimIDnumber.txt. Ransom notes for DoNex and its previous incarnations are similar, and usually mention the name of the ransomware/group (Muse, DarkRace, etc.)
After downloading the decryptor, victims need to provide a list of drives, folders, and files that need to be decrypted, as well as an encrypted file and the same file in its original form. This will allow the decryptor to figure out the password required to decrypt the rest of the files.
“On the final page, you can opt-in to back up your encrypted files. These backups may help if anything goes wrong during the decryption process. This choice is selected by default, which we recommend,” the researchers added.
The team decided to public with the tool because the weakness has been made public at the end of June, at the Recon 2024 conference.