Researchers have recently uncovered a critical flaw in the cryptographic system of the DoNex ransomware and all its related versions and predecessors. This discovery has led to a collaboration between the researchers and law enforcement agencies to discreetly provide a decryptor to DoNex victims since March 2024.
The flaw in the cryptographic schema of the DoNex ransomware was publicly discussed during the Recon 2024 event, prompting the researchers to officially reveal the details of the vulnerability and its potential consequences.
The DoNex ransomware, initially known as Muse in April 2022, underwent several rebranding attempts with subsequent iterations being named as Fake LockBit 3.0 in November 2022, DarkRace in May 2023, and finally DoNex in March 2024. However, since April 2024, no new samples of the ransomware have been detected, and its official TOR address has remained inactive, indicating a possible halt in its evolution and rebranding efforts.
The encryption process employed by DoNex ransomware is complex, involving the generation of an encryption key using the CryptGenRandom function, which initializes a ChaCha20 symmetric key to encrypt files. Following encryption, the symmetric key is encrypted with RSA-4096 and attached to the affected file. Larger files are encrypted in blocks, while the ransomware’s configuration details are stored in an XOR-encrypted configuration file.
Although the researchers have not explicitly outlined the decryption process, additional information on the cryptographic vulnerability can be found in files related to the Recon 2024 talk titled “Cryptography is hard: Breaking the DoNex ransomware” hosted by Gijs Rijnders, a malware reverse engineer and cyber threat intelligence analyst with the Dutch National Police.
The primary targets of the DoNex ransomware were victims in the US, Italy, and Belgium, with focused attacks on these regions. The researchers have confirmed that all variations of the DoNex ransomware, as well as its previous versions, can be decrypted using the provided decryptor tool.
Victims of the DoNex ransomware can identify an attack through the ransom note left by the malware. Although different variants of the ransomware produce distinct ransom notes, they share a common layout. The researchers have also provided instructions on using the decryptor tool against DoNex encrypted files, emphasizing the importance of selecting the largest possible pair of files for the decryption process.
Furthermore, the researchers have shared Indicators of Compromise (IOCs) for the Fake LockBit 3.0, DarkRace, and DoNex variants of the ransomware. As the collaboration between researchers and law enforcement agencies continues, efforts to counter the threats posed by ransomware attacks like DoNex are expected to evolve further.