Czech Antivirus Firm Avast Cracks DoNex Ransomware, Offering Decryption Keys
Czech-based antivirus software developer Avast recently announced to global users the acquisition of decryption keys for the DoNex ransomware. Initially known as Muse and later masquerading as Lockbit 3.0, then rebranded to DarkRace before finally adopting the name DoNex in March 2024.
Once DoNex infects a user's device, it triggers the CryptGemRandom() function to generate an encryption key. This key initializes a ChaCha20 symmetric key, which is then used to encrypt files.
DoNex directly encrypts files smaller than 1MB. For larger files, it splits them into smaller segments for intermittent encryption - a strategy likely aimed at achieving quicker encryption through file division.
After encryption, the symmetric key is appended to the file's end using the RSA-4096 encryption algorithm. Leveraging a vulnerability, Avast successfully cracked the ransomware, enabling the discovery of decryption keys through a decryptor.
Confirmed by Avast, the company has been discreetly providing a decryptor to affected users since March 2024. Following the shutdown of DoNex's dark web site in April, without any signs of revival, it's presumed that DoNex is no longer active. Hence, Avast has made the decryptor public.
Immediate disclosure of the decryptor upon discovering the vulnerability might have led ransomware groups to fix the issue, rendering further cracking attempts futile. This rationale underpins Avast's decision to quietly offer the decryptor without publicity.
Interestingly, although most ransomware typically avoids targeting Russia, the country emerged as a significant victim of DoNex, suggesting its developers might not be Russian hackers.
Regarding the decryptor, it's available for all users to download from Avast. The decryption process is notably memory-intensive, with sufficient memory potentially decoding the recovery key in just a second. With the recovery key, file restoration becomes straightforward, though recovering all files could take hours or even days.
Decryptor download link: Avast DoNex Decryptor