Researchers have discovered a critical flaw in the cryptographic schema of the DoNex ransomware and all of its variants and predecessors. Since then, they have collaborated with law enforcement agencies to discreetly provide a decryptor to affected DoNex victims since March 2024.
The cryptographic vulnerability was publicly discussed at Recon 2024, prompting the researchers to officially disclose details of the flaw and its implications.
DoNex Ransomware Operations
Avast researchers noted that the DoNex ransomware has undergone several rebrandings after initially identifying as Muse in April 2022. Subsequent iterations of DoNex included a rebrand to a purported Fake LockBit 3.0 in November 2022, then to DarkRace in May 2023, and finally to DoNex in March 2024. Since April 2024, the researchers noted that no newer samples were detected, and that the ransomware group’s official TOR address remained inactive, suggesting that DoNex may have ceased its evolution and rebranding attempts.
DoNex ransomware employs a complex encryption process. During its execution, an encryption key is generated using the CryptGenRandom function. This key initializes a ChaCha20 symmetric key, which is then used to encrypt files.
After encryption, the symmetric key is encrypted with RSA-4096 and appended to the affected file. For files up to 1 MB, the entire file is encrypted, while larger files are encrypted in segments of blocks. The ransomware’s configuration, along with details over whitelisted extensions, files, and services to terminate, are stored in an XOR-encrypted configuration file.
While the researchers have not detailed the exact process they used to decipher the decryption, more details related to the same cryptographic vulnerability are available from files related to the Recon 2024 event talk titled “Cryptography is hard: Breaking the DoNex ransomware.” Gijs Rijnders, a malware reverse engineer and cyber threat intelligence analyst working for the Dutch National Police, hosted the talk.
DoNex primarily targeted victims in the US, Italy, and Belgium, using focused attacks. The researchers confirmed that all variants of the DoNex ransomware along with its earlier versions can be decrypted using the released DoNex decryptor.
Identifying DoNex Ransomware and Decryption
Victims of the DoNex ransomware can recognize an attack through the ransom note left by the malware. Although different variants (Fake LockBit, DarkRace and DoNex) of DoNex produce distinct ransom notes, they share a similar layout.
The researchers have shared instructions for using their decryptor against DoNex ransomware encrypted files:
- Download the provided decyptor. (The researchers recommend running the 64-bit version of the program due to memory requirements.)
- Run the decryptor’s executable file as an administrator. The program should run as a wizard, automatically guiding you through the decryption process.
- While the program lists all local drives by default, the user is requested to provide a list of possible locations meant to be decrypted.
- Users are then requested to provide an encrypted file (from any variant of DoNex) as well as a copy of the original file before encryption. The researchers emphasize selecting the biggest possible pair of files for this process.
- The next process of the wizard will begin the password cracking process. The researchers state that while this process of cracking only takes a second, it would require a huge volume of memory. After the step has been completed, users can get ready to begin with the decryption process for all the files on their entire system.
- In the final step, users can opt to back up encrypted files on their system, which may help in the event of failures during the decryption process. The researchers stated that the option is set at default.
- Users can let the program run in an attempt to decrypt all the DoNex encrypted files on their system.
The researchers have also shared Indicators of compromise (IOCs) of the FakeLockBit 3.0, Dark Race and DoNex variants of the ransomware.
