[Cyware] Decryptor for DoNex, Muse, DarkRace, (fake) LockBit 3.0 ransomware released – Help Net Security

Summary: Avast researchers have discovered a cryptographic weakness in the DoNex ransomware and its previous versions, allowing them to create a decryptor for files encrypted by these variants.

Threat Actor: DoNex ransomware | DoNex ransomware
Victim: Multiple companies | DoNex ransomware victims

Key Point :

  • Avast researchers have developed a decryptor for the DoNex ransomware and its previous versions.
  • The DoNex ransomware actor appeared in early March 2024 and targeted companies in the US, Italy, and Belgium.
  • No new samples of DoNex have been detected since April 2024, and the TOR site of the ransomware has been down.

A cryptographic weakness in the DoNex ransomware and its previous incarnations – Muse, fake LockBit 3.0, and DarkRace – has allowed Avast researchers to create a decryptor for files encrypted by all those ransomware variants.

decryptor DoNex DarkRace LockBit

DoNex ransom note (Source: Avast)

“In cooperation with law enforcement organizations, we have been silently providing the decryptor to DoNex ransomware victims since March 2024,” the company’s Threat Research Team has shared on Monday.

About DoNex

The DoNex ransomware actor appeared in early March 2024 and claimed several companies as victims.

Other researchers have shared their analysis of the malware, as well.

“DoNex uses targeted attacks on its victims and it was most active in the US, Italy, and Belgium based on our telemetry,” Avast researchers noted.

“Since April 2024, DoNex seems to have stopped its evolution, as we have not detected any new samples since. Additionally, the TOR site of the ransomware has been down since that point.”

Using the decryptor

Files encrypted via the DoNex ransomware get a unique extension (victim ID number), and the file with the ransom note is named Readme.victimIDnumber.txt. Ransom notes for DoNex and its previous incarnations are similar, and usually mention the name of the ransomware/group (Muse, DarkRace, etc.)

After downloading the decryptor, victims need to provide a list of drives, folders, and files that need to be decrypted, as well as an encrypted file and the same file in its original form. This will allow the decryptor to figure out the password required to decrypt the rest of the files.

“On the final page, you can opt-in to back up your encrypted files. These backups may help if anything goes wrong during the decryption process. This choice is selected by default, which we recommend,” the researchers added.

The team decided to public with the tool because the weakness has been made public at the end of June, at the Recon 2024 conference.


Source: https://www.helpnetsecurity.com/2024/07/08/decryptor-donex-muse-darkrace-fake-lockbit-3-0


“An interesting youtube video that may be related to the article above”