DoNex Ransomware Decrypted: How to Use Avast Decrypter
DoNex Ransomware Decrypted: How to Use Avast Decrypter

Avast has released a decryptor for the DoNex ransomware and offers a free recovery solution to victims of DoNex and its predecessors.

DoNex, Muse, DarkRace and the fake LockBit 3.0 are all names of a ransomware family that has been active since April 2022 and primarily targets companies in the US, Italy and Belgium, according to telemetry data from Avast. DoNex is the latest version of the virus, which first appeared in March 2024.

A vulnerability in the cryptographic method used by DoNex and its predecessors was discovered by Avast earlier this year, and the decryptor has been made privately available to victims with the help of law enforcement since March 2024, according to a blog post published by Avast on Monday.

Avast has now made the decryption tool public after giving a presentation at Recon 2024 on June 30 describing how the Dutch National Police reverse engineered DoNex to decrypt affected files by exploiting the same cryptography flaw.

While the Dutch police stated that they would provide their own decryptor through the NoMoreRansom platform, the DoNex decryptor actually appeared in the list of public decryption tools available on the platform on July 8.

How to use Avast DoNex Ransomware Decryptor

The Avast decryptor works on all four DoNex variants: Muse (active from April 2022), fake LockBit 3.0 (active from November 2022), DarkRace (active from May 2023) and the latest DoNex (active from March 2024).

The ransomware variants can be identified by their ransom demands. The fake ransom note for LockBit 3.0 pretends to be from the real LockBit ransomware gang.

Victims should first run the decryption executable (click here to download) and go beyond the license information page to provide a list of directory locations that need to be decrypted. Next, the user should provide an encrypted file along with an unencrypted version of the same file. Avast recommends selecting the largest possible file pair to increase the likelihood of successful decryption.

Once the files are uploaded, the decryption tool attempts to crack the DoNex password required to complete the decryption process. This process consumes a lot of system memory and can take several hours, although Avast states that it “usually takes just a second.”

Before the decryption process begins, the user has the option to backup their encrypted files. This is recommended in case any error occurs during the decryption. Finally, users can click on “Decrypt” to start the final recovery process.

DoNex encryption uses the CryptGenRandom() function to generate the encryption key, which is used to initialize ChaCha20’s symmetric key generation and ultimately encrypt files. At the end of encryption, the symmetric key is encrypted via RSA-4096 and appended to the end of the file. Small files up to 1 MB are fully encrypted, while files larger than 1 MB are split into blocks that are encrypted separately.

According to Avast, no new samples of DoNex-related ransomware have been discovered since April 2024, and the company’s darknet site has also been inaccessible since around that time, suggesting that the ransomware family’s development appears to have stalled.