Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,198
- Points
- 113
A bug in DoNex opened the way for data recovery.
Avast specialists have discovered a vulnerability in the cryptographic scheme of the ransomware program DoNex and its predecessors. In this regard, researchers, together with law enforcement agencies, began secretly providing the decryptor to victims of the virus. The discovery of the vulnerability was announced at the Recon 2024 conference, after which information about the decryptor became publicly available.
The DoNex program has gone through several stages of rebranding since April 2022, starting with the first version called Muse. After several changes, the latest version was named DoNex. Since April 2024, the development of the virus has stopped, and no new samples have been detected, which indicates the decline of the ransomware program.
DoNex actively attacked its victims, especially in the US, Italy and the Netherlands. The program uses the method of targeted attacks and is especially dangerous because of its ability to adapt and change.
The DoNex encryption process involves using the CryptGenRandom() function to generate a key, which is then used to initialize the symmetric ChaCha20 key and encrypt files. After encryption, the file keys are encrypted using RSA-4096 and appended to the end of the file. Moreover, DoNex targets files with specific extensions specified in its XML configuration.
An important feature of DoNex is that files smaller than 1 MB are fully encrypted, while larger files are partially encrypted — they are divided into blocks, which are then encrypted separately.
With the introduction of the decryptor, DoNex victims have hope of recovering their data without paying a ransom. The decryption process begins with downloading the decryptor, after which the user can follow the step — by-step instructions in the setup wizard, which includes selecting locations for decryption and a pair of files-the original and encrypted ones. After successfully finding the password, the decryption process begins, which may take some time, but eventually returns access to the data.
Source
Avast specialists have discovered a vulnerability in the cryptographic scheme of the ransomware program DoNex and its predecessors. In this regard, researchers, together with law enforcement agencies, began secretly providing the decryptor to victims of the virus. The discovery of the vulnerability was announced at the Recon 2024 conference, after which information about the decryptor became publicly available.
The DoNex program has gone through several stages of rebranding since April 2022, starting with the first version called Muse. After several changes, the latest version was named DoNex. Since April 2024, the development of the virus has stopped, and no new samples have been detected, which indicates the decline of the ransomware program.
DoNex actively attacked its victims, especially in the US, Italy and the Netherlands. The program uses the method of targeted attacks and is especially dangerous because of its ability to adapt and change.
The DoNex encryption process involves using the CryptGenRandom() function to generate a key, which is then used to initialize the symmetric ChaCha20 key and encrypt files. After encryption, the file keys are encrypted using RSA-4096 and appended to the end of the file. Moreover, DoNex targets files with specific extensions specified in its XML configuration.
An important feature of DoNex is that files smaller than 1 MB are fully encrypted, while larger files are partially encrypted — they are divided into blocks, which are then encrypted separately.
With the introduction of the decryptor, DoNex victims have hope of recovering their data without paying a ransom. The decryption process begins with downloading the decryptor, after which the user can follow the step — by-step instructions in the setup wizard, which includes selecting locations for decryption and a pair of files-the original and encrypted ones. After successfully finding the password, the decryption process begins, which may take some time, but eventually returns access to the data.
Source
