Decrypted: DoNex Ransomware and its Predecessors
July 10, 2024, 10:01 a.m.
Tags
External References
Description
Researchers have uncovered a cryptographic flaw in the DoNex ransomware and its previous iterations, allowing for the creation of a decryptor tool. Initially discovered in March 2024, this cryptographic weakness was made public at Recon 2024. The ransomware, which has undergone several rebrands since its inception as Muse in April 2022, utilizes targeted attacks primarily focused on the US, Italy, and the Netherlands. Its encryption process involves generating a key through CryptGenRandom(), initializing ChaCha20 symmetric encryption, and appending the RSA-4096 encrypted symmetric file key to each file. Configuration data, including whitelisted extensions and processes, is stored in an encrypted XML format within the malware samples.
Date
Published: July 10, 2024, 9:33 a.m.
Created: July 10, 2024, 9:33 a.m.
Modified: July 10, 2024, 10:01 a.m.
Indicators
b9b4766d6b0e63f80d49e969fbd63ae90b0d1e487ef008b55c096bf46395d32e
9d5c4544bd06335c2ad2545b0d177218f84b77dd1834b22bf6a4cfe7e1de91fb
91745d530a8304742b58890e798448de9fbe4ea0bc057f30ab0beb522b4bb688
04ed1a811b3594f55486a52ab81227089c178f5c73944a3a9665d7052c3b7df9
74b5e2d90daaf96657e4d3d800bb20bf189bb2cf487479ea0facaf6182e0d1d3
0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4
0adde4246aaa9fb3964d1d6cf3c29b1b13074015b250eb8e5591339f92e1e3ca
6d6134adfdf16c8ed9513aba40845b15bd314e085ef1d6bd20040afd42e36e40
Attack Patterns
Muse
DarkRace
DoNex
LockBit
T1490
T1489
T1486
T1547
T1106
T1105
T1083
T1055
T1499
T1204
T1059
Additional Informations
Netherlands
Italy