Updated Researchers at Avast have been secretly distributing decryptors to victims of DoNex ransomware since March after discovering a flaw in the criminals’ cryptography, the company confirmed today.
They have also published the decryptor for anyone to use, now that the group no longer appears to pose a serious threat to the cybersecurity sector after the dark web page was shut down in April.
Delegates at Canada’s Recon conference, which was last held in late June, were among the first to hear the news that was made public today. Avast provided a brief explanation of how DoNex encrypts victims’ data, but, unfortunately, offered no insight into the flaw in the scheme.
“During execution of the ransomware, an encryption key is generated by the CryptGenRandom() function,” Avast said in a blog post. “This key is then used to initialize the ChaCha20 symmetric key and subsequently to encrypt files. After a file is encrypted, the symmetric file key is encrypted using RSA-4096 and appended to the end of the file. Files are selected by their extension, and file extensions are listed in the ransomware’s XML configuration.
“For small files (up to 1 MB), the entire file is encrypted. For files larger than 1 MB, intermittent encryption is used: the file is split into blocks and the blocks are encrypted separately.”
However, that was all it wanted to share. The Reg I asked the company for answers, but they did not immediately respond to the questions.
The decryptor itself is free to download, and Avast recommends victims run it as an administrator, preferably with the 64-bit version.
It says that cracking the password takes a lot of memory, but it should only take a second, so choose the 64-bit version if possible.
What is DoNex ransomware?
DoNex isn’t the most recognizable name in the ransomware field, but it has been around in various guises for a while now.
Avast suspects it started operating under the name “Muse” in April 2022 and rebranded as a fake version of LockBit 3.0 in November of that year.
The original version was launched in June 2022 by Dmitry Khoroshev’s gang, but the builder leaked months later, in September. Rumors circulated that it was the work of a disgruntled LockBit member. The DoNex imitation was one of many that sprung up as a result.
The ransom note of the fake version was very similar to the real one, with a few changes, such as the contact address. After all, the victims had nothing to do with LockBit at all.
In May 2023, there was another rebranding, this time to what appeared to be a brand new operation called DarkRace, which claimed several victims primarily based in Italy, Malwarebytes said last year. A Broadcom advisory also published last year said the payload was similar to that of LockBit 3.0, so it appears very little effort went into developing a new strain over its lifecycle.
According to Avast, DoNex was the last name change, which took place in March of this year and was the shortest of them all, lasting only a month.
Once again, it targeted victims in countries including Italy, the US, Belgium, the Netherlands and – a rarity in ransomware – Russia.
The ransom note was almost a literal carbon copy of DarkRace’s, again indicating that the criminals behind it didn’t flex their muscles to bring anything new to the table – they were likely just trying to make a quick buck with as little effort as possible. ®
Updated on July 8, 2024 at 14:53 UTC to add:
Following the publication of this article, Avast responded to our questions with a statement. The Reg had asked Jakub Kroustek, director of malware research, for more details about the specific flaw that allowed the company to develop a decryptor, but he declined to provide details.
Referring to the symmetric ChaCha20 encryption used by DoNex, Kroustek said: “A crypto flaw was discovered in this process that allowed us to decrypt files without having to pay the ransom.”