{"id":165469,"date":"2024-07-09T07:51:34","date_gmt":"2024-07-09T07:51:34","guid":{"rendered":"https:\/\/securityaffairs.com\/?p=165469"},"modified":"2024-07-09T07:51:37","modified_gmt":"2024-07-09T07:51:37","slug":"donex-ransomware-decryptor","status":"publish","type":"post","link":"https:\/\/securityaffairs.com\/165469\/malware\/donex-ransomware-decryptor.html","title":{"rendered":"Avast released a decryptor for DoNex Ransomware and its predecessors"},"content":{"rendered":"
<\/div>\n

Avast developed and released a decryptor for the DoNex ransomware family that allows victims to recover their files for free.<\/h2>\n\n\n\n

Avast researchers identified a cryptographic flaw in the DoNex ransomware and its predecessors that allowed them to develop a decryptor. The experts revealed the weakness during the Recon 2024 conference<\/a>.<\/p>\n\n\n\n

Avast also released a decryptor that allows victims to recover their files for free since March 2024.<\/gwmw><\/p>\n\n\n\n

“All brands of the DoNex ransomware are supported by the decryptor.” reads the announcement<\/strong><\/a>. “DoNex uses targeted attacks on its victims and it was most active in the US, Italy, and Belgium based on our telemetry.”<\/em><\/p>\n\n\n\n

In cooperation with law enforcement, the company has been silently providing the decryptor to the victims to prevent ransomware author to learn about the way the decryptor was developed.<\/p>\n\n\n\n

DoNex is a rebrand of Muse and DarkRace ransomware, it first appeared in the threat landscape in April 2022.\u00a0<\/p>\n\n\n\n

\"DoNex<\/a><\/figure>\n\n\n\n

<\/gwmw>Upon execution, an encryption key is generated by\u00a0CryptGenRandom()<\/a>\u00a0function. The malicious code uses the key to initialize ChaCha20 symmetric key and subsequently encrypt files. Once a file is encrypted, the symmetric file key is encrypted by RSA-4096 and appended to the end of the file. The files are picked by their extension, and file extensions are listed in the ransomware XML config.<\/gwmw><\/p>\n\n\n\n

Like other ransomware, the entire file is encrypted for small files (up to 1 MB). For files greater than 1MB, the ransomware uses intermittent encryption. Each file is split into blocks that are encrypted separately.<\/gwmw><\/p>\n\n\n\n

Samples of the DoNex ransomware and its previous versions contain XOR-encrypted configurations. These configurations include settings for whitelisted extensions, whitelisted files, services to kill, and other encryption-related data.<\/p>\n\n\n\n

The decryptor for DoNex ransomware is available for free here<\/a>.\u00a0The researchers strongly recommend using the 64-bit version of the decryption tool because the password-cracking process requires a lot of memory.<\/p>\n\n\n\n

As usual, experts recommend backing up encrypted files before using the decryption tool in case anything goes wrong during the decryption process.<\/p>\n\n\n\n

The researchers also provided Indicators of Compromise (IOCs) for this threat.<\/p>\n\n\n\n

Pierluigi Paganini<\/strong><\/a><\/p>\n\n\n\n

Follow me on Twitter: @securityaffairs<\/strong><\/a> and Facebook<\/strong><\/a> and Mastodon<\/a><\/p>\n\n\n\n

(<\/strong>SecurityAffairs<\/strong><\/a>\u00a0\u2013<\/strong>\u00a0hacking, ransomware)<\/strong><\/p>\n\n\n\n

<\/gwmw><\/p>\n","protected":false},"excerpt":{"rendered":"

Avast developed and released a decryptor for the DoNex ransomware family that allows victims to recover their files for free. Avast researchers identified a cryptographic flaw in the DoNex ransomware and its predecessors that allowed them to develop a decryptor. The experts revealed the weakness during the Recon 2024 conference. Avast also released a decryptor […]<\/p>\n","protected":false},"author":1,"featured_media":165476,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3323,3,7,55],"tags":[88,5020,15209,4112,9508,9506,10918,687,841,1533],"class_list":["post-165469","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-breaking-news","category-cyber-crime","category-malware","category-security","tag-cybercrime","tag-decryptor","tag-donex-ransomware","tag-hacking","tag-hacking-news","tag-information-security-news","tag-it-information-security","tag-pierluigi-paganini","tag-security-affairs","tag-security-news"],"yoast_head":"\n杭州江阴科强工业胶带有限公司