Avast Secretly Gave DoNex Ransomware Decryptors To Victims

Updated Researchers at Avast have provided decryptors to DoNex ransomware victims on the down-low since March after discovering a flaw in the crims’ cryptography, the company confirmed today.

They also published the decryptor for all to use now that the group appears to no longer present a serious threat in the cybersecurity landscape, after its dark web page was shut down in April.

Delegates of Canada’s Recon conference, most recently held at the end of June, were the first to hear of the news announced publicly today. Avast offered a brief explanation about how DoNex encrypts victims’ data, but annoyingly didn’t actually offer any insight into the flaw in its schema.

“During the ransomware execution, an encryption key is generated by CryptGenRandom() function,” Avast says in a blog post. “This key is then used to initialize ChaCha20 symmetric key and subsequently to encrypt files. After a file is encrypted, the symmetric file key is encrypted by RSA-4096 and appended to the end of the file. The files are picked by their extension, and file extensions are listed in the ransomware XML config.

“For small files (up to 1 MB), the entire file is encrypted. For files with size greater than 1 MB, intermittent encryption is used – the file is split into blocks and those blocks are encrypted separately.”

That’s all it was willing to share, however. El Reg pressed it for answers but the company didn’t immediately respond to questions.

The decryptor itself is available as a free download and Avast recommends victims run it as administrator, preferably while using the 64-bit version. 

It says the password-cracking process is highly memory-intensive, but should only take about a second, so opt for the 64-bit version where possible.

What’s DoNex ransomware?

DoNex isn’t the most recognizable name in ransomware, but it has been around for a while under various guises.

Avast reckons it started off in April 2022 under the name “Muse” before rebranding in November of that year to a fake version of LockBit 3.0. 

The genuine version was launched by Dmitry Khoroshev’s gang in June 2022 but the builder was leaked months later in September, rumored to be the work of a disgruntled LockBit member, and DoNex’s imitation was one of many that spun up as a result.

The ransom note of the fake version bore many similarities to the genuine article, with a few changes such as the contact address – victims weren’t actually dealing with LockBit after all.

In May 2023, another rebrand was carried out, this time to what appeared to be a brand-new operation called DarkRace, claiming several victims mainly based in Italy, Malwarebytes said last year. A Broadcom advisory also published last year said its payload was similar to that of LockBit 3.0, so it seems like very little effort was spent on developing a novel strain throughout its lifecycle.

Avast said DoNex was the final rebrand, which took place in March this year and was the most short-lived of the lot, lasting around just a single month.

Again, it targeted victims in locations including Italy, the US, Belgium, Netherlands, and – a ransomware rarity – Russia.

The ransom note was almost a verbatim copy of DarkRace’s, once again suggesting the crims behind it didn’t pull any muscles in trying to bring something novel to the table – probably just trying to make a quick buck with as little effort as possible. ®

Updated at 14.53 UTC on July 8, 2024, to add:

Following publication of this article, Avast responded to our questions with a statement. The Reg had asked Jakub Kroustek, director of malware research, for more details about the specific flaw that allowed the company to develop a decryptor, but he wouldn’t divulge any specifics.

Referencing the ChaCha20 symmetric cipher used by DoNex, Kroustek said: “The discovered crypto flaw in this process that allowed us to decrypt files without the need of paying the ransom.”

READ MORE HERE