Decrypted: DoNex Ransomware and its Predecessors
Essential information
- Published
- 10/07/2024 09:33
- Modified
- 10/07/2024 10:01
- Tags
- 2024-07-10 chacha20 cryptography darkrace donex encryption lockbit muse ransomware rebranding
- Related entities
- 8 observables, 11 techniques (mitre), 4 malware, 2 others
Description
Researchers have uncovered a cryptographic flaw in the DoNex ransomware and its previous iterations, allowing for the creation of a decryptor tool. Initially discovered in March 2024, this cryptographic weakness was made public at Recon 2024. The ransomware, which has undergone several rebrands since its inception as Muse in April 2022, utilizes targeted attacks primarily focused on the US, Italy, and the Netherlands. Its encryption process involves generating a key through CryptGenRandom(), initializing ChaCha20 symmetric encryption, and appending the RSA-4096 encrypted symmetric file key to each file. Configuration data, including whitelisted extensions and processes, is stored in an encrypted XML format within the malware samples.