Decrypted: DoNex Ransomware and its Predecessors

July 10, 2024, 10:01 a.m.

Description

Researchers have uncovered a cryptographic flaw in the DoNex ransomware and its previous iterations, allowing for the creation of a decryptor tool. Initially discovered in March 2024, this cryptographic weakness was made public at Recon 2024. The ransomware, which has undergone several rebrands since its inception as Muse in April 2022, utilizes targeted attacks primarily focused on the US, Italy, and the Netherlands. Its encryption process involves generating a key through CryptGenRandom(), initializing ChaCha20 symmetric encryption, and appending the RSA-4096 encrypted symmetric file key to each file. Configuration data, including whitelisted extensions and processes, is stored in an encrypted XML format within the malware samples.

External References

https://decoded.avast.io/threatresearch/decrypted-donex-ransomware-and-its-predecessors/
https://otx.alienvault.com/pulse/668e5587adc16587a94465bd
Tags
ransomware
lockbit
darkrace
donex
encryption
2024-07-10
chacha20
rebranding
muse
cryptography

Date

  • Created: July 10, 2024, 9:33 a.m.
  • Published: July 10, 2024, 9:33 a.m.
  • Modified: July 10, 2024, 10:01 a.m.

Indicators

  • b9b4766d6b0e63f80d49e969fbd63ae90b0d1e487ef008b55c096bf46395d32e
  • 9d5c4544bd06335c2ad2545b0d177218f84b77dd1834b22bf6a4cfe7e1de91fb
  • 91745d530a8304742b58890e798448de9fbe4ea0bc057f30ab0beb522b4bb688
  • 04ed1a811b3594f55486a52ab81227089c178f5c73944a3a9665d7052c3b7df9
  • 74b5e2d90daaf96657e4d3d800bb20bf189bb2cf487479ea0facaf6182e0d1d3
  • 0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4
  • 0adde4246aaa9fb3964d1d6cf3c29b1b13074015b250eb8e5591339f92e1e3ca
  • 6d6134adfdf16c8ed9513aba40845b15bd314e085ef1d6bd20040afd42e36e40
Download all indicators here!

Attack Patterns

  • Muse
  • DarkRace
  • DoNex
  • LockBit
  • T1490
  • T1489
  • T1486
  • T1547
  • T1106
  • T1105
  • T1083
  • T1055
  • T1499
  • T1204
  • T1059

Additional Informations

  • Netherlands
  • Italy