Avast researchers uncovered a cryptographic weakness in the DoNex ransomware family and its predecessors, and partnered with law enforcement to provide decryptors to victims since March 2024, with public disclosure at Recon 2024. The analysis details DoNex’s evolution (Muse -> Fake LockBit -> DarkRace -> DoNex), its encryption scheme (ChaCha20 with a RSA-4096-wrapped key), and its targeted operations across the US, Italy, and Belgium.
#DoNex #Muse #DarkRace #FakeLockBit #LockBit3.0 #Avast #Recon2024
#DoNex #Muse #DarkRace #FakeLockBit #LockBit3.0 #Avast #Recon2024
Keypoints
- DoNex has gone through multiple brands since April 2022, with the decryptor officially supporting all variants (Muse, Fake LockBit 3.0, DarkRace, and DoNex).
- DoNex victims were targeted, with activity concentrated in the US, Italy, and Belgium based on Avast telemetry.
- The ransomware uses a cryptographic scheme where an encryption key is generated via CryptGenRandom(), initialized into ChaCha20, and used to encrypt files; the key is then RSA-4096-encrypted and appended to the file.
- Small files (≤1 MB) are encrypted in full; larger files are encrypted in blocks after splitting, enabling intermittent encryption.
- Ransomware configuration is XOR-encrypted and includes whitelisted extensions/files, killed services, and other encryption-related data, with a described “kill_keep” list affecting security tools and backups.
- Ransomware notes differ by brand but share a common structure, aiding victims in identifying the infection family; Avast provides a decryptor and a step-by-step recovery workflow.
MITRE Techniques
- [T1486] Data Encrypted for Impact – The encryption key is generated and used to encrypt files with ChaCha20, and the symmetric key is RSA-4096-encrypted and appended to the file.
“… During the ransomware execution, an encryption key is generated by CryptGenRandom() function. This key is then used to initialize ChaCha20 symmetric key and subsequently to encrypt files.”… - [T1027] Obfuscated/Encrypted Files or Information – Samples contain XOR-encrypted configuration data that stores encryption settings and other data.
“… samples of the DoNex ransomware… contain XOR-encrypted configuration, which contains settings of whitelisted extensions, whitelisted files, services to kill, and other encryption-related data.” - [T1562.001] Impair Defenses – The malware uses a kill_keep list to target and disable security-related services/tools (e.g., listed in the configuration).
“… sql;oracle;mysq;chrome;veeam;firefox;excel;msaccess;onenote;outlook;powerpnt;wuauclt …” - [T1036] Masquerading – DoNex and its predecessors underwent multiple brand evolutions, including Muse, Fake LockBit 3.0, and DarkRace, before arriving at DoNex.
“… The DoNex ransomware has been rebranded several times. The first brand, called Muse, appeared in April 2022. Multiple evolutions followed, resulting in the final version of the ransomware, called DoNex.”
Indicators of Compromise
- [Hash] 9d5c4544bd06335c2ad2545b0d177218f84b77dd1834b22bf6a4cfe7e1de91fb – Muse
- [Hash] 04ed1a811b3594f55486a52ab81227089c178f5c73944a3a9665d7052c3b7df9 – FakeLockBit 3.0
- [Hash] 0ec61a80e61f56f460fc42e5d4f0accec2b04c8db98c28ed4534946214076f2a – FakeLockBit 3.0
- [Hash] 2e397dcbcc630b492c01af9cb6033edd9c857e2881bead6956e43aefb16b6a21 – FakeLockBit 3.0
- [Hash] 91745d530a8304742b58890e798448de9fbe4ea0bc057f30ab0beb522b4bb688 – FakeLockBit 3.0
- [Hash] 74b5e2d90daaf96657e4d3d800bb20bf189bb2cf487479ea0facaf6182e0d1d3 – Dark Race
- [Hash] 0adde4246aaa9fb3964d1d6cf3c29b1b13074015b250eb8e5591339f92e1e3ca – DoNex
- [Hash] B32ae94b32bcc5724d706421f915b7f7730c4fb20b04f5ab0ca830dc88dcce4e – DoNex
- [Hash] 6d6134adfdf16c8ed9513aba40845b15bd314e085ef1d6bd20040afd42e36e40 – DoNex
- [URL] https://files.avast.com/files/decryptor/avast_decryptor_donex.exe – DoNex decryptor binary (example file to decrypt)
Read more: https://decoded.avast.io/threatresearch/decrypted-donex-ransomware-and-its-predecessors/