Avast Cracks DoNex Ransomware, Offering the Decryptor

Researchers from Avast have uncovered a critical flaw in the cryptographic schema of the notorious DoNex ransomware and its predecessors. This discovery has enabled Avast, in cooperation with law enforcement agencies, to provide a decryptor to DoNex ransomware victims since March 2024. The cryptographic weakness was made public at Recon 2024

DoNex, a shape-shifting cyberthreat known for its multiple rebrands (Muse, fake LockBit 3.0, DarkRace), targeted victims primarily in the US, Italy, and Belgium. Since April 2024, no new samples of DoNex have been detected, and its TOR site has been down, suggesting a possible halt in its evolution. All these brands, however, are supported by the newly developed decryptor.

Image: Avast

The weakness exploited by Avast lies in the ransomware’s encryption schema, specifically in the generation and use of encryption keys. By leveraging this vulnerability, Avast, in cooperation with law enforcement, has been able to quietly rescue victims’ files without alerting the perpetrators.

The free DoNex ransomware decryptor tool, now available to the public, is user-friendly and guides victims through the decryption process. By providing a pair of original and encrypted files, the tool cracks the encryption password and restores the affected data.

For those who suspect they have been victimized by DoNex or its earlier incarnations, Avast’s decryptor offers a ray of hope. With this powerful tool, victims can reclaim their data and break free from the clutches of ransomware.