Researchers from Avast have discovered a critical flaw in the DoNex ransomware’s cryptographic schema, enabling them to develop a decryptor for all its variants and predecessors. This breakthrough was publicly discussed at Recon 2024, after which details and the decryptor were officially disclosed. Since March 2024, Avast has been working discreetly with law enforcement agencies to provide this decryptor to DoNex victims, helping them recover their encrypted files without paying the ransom.
The DoNex ransomware has undergone several rebrandings since its initial identification as Muse in April 2022. It rebranded to Fake LockBit 3.0 in November 2022, then to DarkRace in May 2023, and finally to DoNex in March 2024. Since April 2024, no new samples have been detected, and the ransomware group’s official TOR address has remained inactive, suggesting the cessation of DoNex operations. Avast researchers have noted that DoNex primarily targeted victims in the US, Italy, and Belgium, using focused attacks.
DoNex employs a complex encryption process to lock victims’ files. During its execution, an encryption key is generated using the CryptGenRandom function. This key is then used to initialize a ChaCha20 symmetric key, which encrypts the files. After the encryption, the symmetric key is encrypted with RSA-4096 and appended to the affected file. For files up to 1 MB, the entire file is encrypted, while larger files are encrypted in segments. Additionally, the ransomware’s configuration file, which includes details on whitelisted extensions, files, and services to terminate, is stored in an XOR-encrypted format.
Victims of DoNex ransomware can now use the released decryptor by following a detailed, guided process provided by Avast. To initiate the decryption, users need to download the 64-bit version of the decryptor due to memory requirements, run it as an administrator, and follow the wizard. They must provide a list of locations to decrypt and supply an encrypted file along with its original unencrypted version. The decryptor then performs a password cracking process, which is quick but memory-intensive, before proceeding with the decryption of all files on the system. Victims can opt to back up encrypted files before starting the decryption process. The successful creation and dissemination of this decryptor mark a significant victory in the fight against ransomware, offering relief to victims in multiple countries. More insights into the cryptographic vulnerability and the decryption process were shared by Gijs Rijnders, a malware reverse engineer and cyber threat intelligence analyst with the Dutch National Police, during his talk at Recon 2024.
Reference:
