Decrypted: DoNex Ransomware and its Predecessors

July 10, 2024, 10:01 a.m.


Researchers have uncovered a cryptographic flaw in the DoNex ransomware and its previous iterations, allowing for the creation of a decryptor tool. Initially discovered in March 2024, this cryptographic weakness was made public at Recon 2024. The ransomware, which has undergone several rebrands since its inception as Muse in April 2022, utilizes targeted attacks primarily focused on the US, Italy, and the Netherlands. Its encryption process involves generating a key through CryptGenRandom(), initializing ChaCha20 symmetric encryption, and appending the RSA-4096 encrypted symmetric file key to each file. Configuration data, including whitelisted extensions and processes, is stored in an encrypted XML format within the malware samples.


Published Created Modified
July 10, 2024, 9:33 a.m. July 10, 2024, 9:33 a.m. July 10, 2024, 10:01 a.m.


Attack Patterns

Additional informations