Ransomware, Incident Response

DoNex ransomware decoded: How to use Avast decryptor


Avast released a decryptor for DoNex ransomware, offering a free recovery solution for victims of DoNex and its predecessors.

DoNex, Muse, DarkRace and fake LockBit 3.0 are all names for a ransomware family that has been active since April 2022, mostly targeting businesses in the United States, Italy and Belgium, according to Avast’s telemetry data. DoNex is the latest iteration of the virus, first appearing in March 2024.

A vulnerability in the cryptographic method used by DoNex and its predecessors was discovered by Avast earlier this year, and the decryptor has been privately provided to victims since March 2024 with the help of law enforcement, according to an Avast blog post published Monday.

Avast has now published the decryptor tool publicly following a June 30 presentation at Recon 2024 that described how Dutch National Police reverse engineered DoNex to decrypt affected files using the same cryptography flaw.

While Dutch police stated they would provide their own decryptor through the NoMoreRansom platform, the DoNex decryptor did appear among the list of public decryption tools available on the platform as of July 8.

How to use the Avast DoNex ransomware decryptor

The Avast decryptor works on all four DoNex variants: Muse (active from April 2022), fake LockBit 3.0 (active from November 2022), DarkRace (active from May 2023) and the latest DoNex (active from March 2024).

The ransomware variants can be identified by their ransom notes, with the fake LockBit 3.0 ransom note claiming to be from the real LockBit ransomware gang.

Victims should first run the decryptor executable (click here to download) and proceed past the license information page to provide a list of directory locations that need to be decrypted. Next, the user should provide an encrypted file along with an unencrypted version of the same file; Avast recommended selecting the largest possible file pair to increase the likelihood of successful decryption.

Once the files are uploaded, the decryptor tool will attempt to crack the DoNex password, which is needed to complete the decryption process. This process uses a large amount of system memory and may take several hours, although Avast states it “usually only takes a second.”

Prior to the decryption process starting, the user is given the option to back up their encrypted files, which is recommended in case an error occurs during decryption. Lastly, users can click “Decrypt” to start the final recovery process.

DoNex encryption uses the CryptGenRandom() function to generate the encryption key that is used to initialize ChaCha20 symmetric key generation and ultimately encrypt files. At the end of encryption, the symmetric key is encrypted via RSA-4096 and appended to the end of the file. Small files up to 1 MB are fully encrypted while files larger than 1 MB are split into blocks that are encrypted separately.

No new samples of DoNex-related ransomware have been detected since April 2024, according Avast, and its dark web site has also been down since around that time, indicating an apparent halt to the ransomware family’s evolution.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.