Code Becomes Achilles’ Heel for Extortionist Donex

During the recon 2024 conference, Avast researchers announced the discovery of a vulnerability in the cryptographic diagram of the Donex-Maintenance Program and its predecessors. To assist victims of the Donex ransomware, researchers collaborated with law enforcement agencies to develop a decryptor in secret. Following the conference, information about the decryptor was made public.

Since April 2022, the Donex program has undergone several rebranding stages, initially known as Muse before being renamed to Donex. The development of the virus ceased in April 2024, with no new samples found, indicating a decline in the Mount Program.

Donex was known for actively targeting victims, particularly in the USA, Italy, and the Netherlands, using targeted attacks that could adapt and change, making it especially dangerous.

The encryption process in Donex involves using the Cryptgenrandom() function to generate a key, which initializes the symmetric key of Chacha20 for encrypting files. After encryption, file keys are encrypted with RSA-4096 and appended to the end of the file. Donex specifically targets files with certain extensions listed in its configuration XML.

Notably, Donex fully encrypts files under 1 MB, while larger files are partially encrypted by splitting them into blocks for separate encryption.

The introduction of the decryptor offers hope to Donex victims for data recovery without having to pay a ransom. The decryption process includes loading a loader, following step-by-step instructions from the configuration master, selecting decryption locations, and providing a pair of original and encrypted files. Once the password is successfully decrypted, access to data is restored, although the decryption process may take some time.

/Reports, release notes, official announcements.