Avast Releases Free Decryptor for DoNex Ransomware Victims
Avast has discovered a cryptographic vulnerability in the DoNex ransomware family and has released a free tool to help victims recover their encrypted files. This decryptor allows affected users to restore their data without paying a ransom.
Background and Collaboration with Law Enforcement
Since March 2024, Avast has been working with law enforcement agencies to privately provide the DoNex decryptor to victims. This approach is commonly used by cybersecurity companies to prevent criminals from learning about and fixing the vulnerability. Now that the flaw has been publicly disclosed at the Recon 2024 conference, Avast has made the decryptor available to everyone.
About DoNex and Its Variants
DoNex is a rebranded version of the DarkRace malware, which itself was a rebrand of Muse, first detected in spring 2022. The vulnerability found by Avast affects all previous versions of the DoNex ransomware family, including a fake Lockbit 3.0 variant that was distributed under the name Muse in November 2022.
According to experts, recent DoNex activity has mainly targeted the United States, Italy, and Belgium, but the malware has also spread to other countries worldwide.
Technical Details
During execution, DoNex generates an encryption key using the CryptGenRandom() function, which initializes a symmetric ChaCha20 key to encrypt the victimβs files. After encryption, the ChaCha20 key is itself encrypted with RSA-4096 and appended to each file.
Avast has not disclosed the exact nature of the vulnerability, which could involve key reuse, predictable key generation, or other cryptographic flaws.
How to Use the Decryptor
- Avast recommends using the 64-bit version of the decryptor, as the password-cracking stage requires significant memory.
- The tool must be run with administrator privileges.
- To use the decryptor, you will need both an encrypted file and its original, unencrypted version.
- For best results, provide the largest possible file as an example, as this determines the maximum file size the tool can decrypt.