News Hub

Antivirus firm Avast gave DoNex ransomware decryption to victims

Written by Thu 11 Jul 2024

After discovering a weakness in the DoNex ransomware software, antivirus company Avast began offering victims a decrypting solution.

As far back as March, security researchers decided to share their findings privately with victims, but to not publish the fix publicly.

Since its launch in April 2022, DoNex has developed through a number of versions, most notably becoming called LockBit 3.0 and DarkRace. In targeted attacks to victims, who were mostly based in the US, Italy and the Netherlands, the DoNex ransomware would encrypt all files under 1MB and individually encrypt files over 1MB.

A ransom note would appear to impacted users telling them their data has been stolen and encrypted. If a ransom is not paid, the note reads, all data will be published on a TOR website.

Avast researchers said during the ransomware execution, an encryption key is generated by CryptGenRandom() function.

“This key is then used to initialise ChaCha20 symmetric key and subsequently to encrypt files. After a file is encrypted, the symmetric file key is encrypted by RSA-4096 and appended to the end of the file. The files are picked by their extension, and file extensions are listed in the ransomware XML config,” said Avast researchers.

The decryption can now be downloaded for free directly from Avast, where users can then run the file as an administrator to remove the ransomware after around one second. There appears to be no activity from DoNex since April 2024, with the TOR site also down from April this year.

Join Tech Show Paris

27-28 November 2024, Porte de Versailles, Paris

Be a part of the latest tech conversations and discover pioneering innovations in Paris.

Don’t miss one of the most exciting technology events of the year for France.

Written by Thu 11 Jul 2024

Send us a correction Send us a news tip