Researchers Decrypted DoNex Ransomware And It’s Rebranded Versions

Researchers discovered a flaw in the DoNex ransomware’s encryption scheme, allowing them to create a decryptor for DoNex and its predecessors (Muse, fake LockBit 3.0, DarkRace). 

The decryptor has been secretly provided to victims since March 2024 in collaboration with law enforcement, which was publicly revealed in July 2024, making the secret decryption effort unnecessary. 

EHA

DoNex, which emerged from a series of rebrandings since April 2022, seems to have ceased activity by April 2024. The decryptor works for all DoNex variants and targets victims primarily in the US, Italy, and Belgium. 

DoNex blocked attacks

The ransomware leverages CryptGenRandom() to generate a key for initializing the ChaCha20 symmetric cipher used for file encryption, which is appended with its corresponding RSA-4096 encrypted symmetric key.

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.

File targeting is based on extensions defined in an XML configuration file; for small files, whole-file encryption is employed, and for larger files (>1 MB), they undergo intermittent encryption, where the file is split and each block is encrypted independently. 

DoNex ransomware can be identified by the presence of a ransom note left on the infected machine, which typically informs the victim that their data is encrypted and will be leaked if a ransom is not paid and also includes instructions on how to access a payment portal on the dark web. 

Ransomware Configuration

Be aware that other ransomware families, like Fake LockBit and DarkRace, use similar ransom note layouts, so additional checks might be needed for definitive identification.  

An analysis of DoNex ransomware by Avast reveals XOR-encrypted configuration files containing critical settings for the encryption process, which include whitelisted extensions and files designating specific data to be excluded from encryption. 

The configuration specifies services to be terminated during the attack, potentially hindering system operation or data recovery attempts by playing a vital role in how DoNex ransomware targets and encrypts victim systems. 

Screenshot of the Fake LockBit ransom note

The DoNex ransomware decryptor is a wizard-based tool that guides users through recovering encrypted files. After launching the program, users specify locations for decryption and provide an original file paired with its encrypted counterpart. 

After that, the tool uses a significant amount of system memory to crack the password, most likely using brute force. 

Once the password is identified, users can initiate the decryption of all files and optionally create backups of encrypted data for safety while the decryption process commences, restoring the affected files.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo