DoNex Ransomware Encryption: Flaw in Cryptographic Schema
Experts uncovered a critical flaw in the encryption schema of the DoNex ransomware, including all variations and predecessors. Since March 2024, they’ve worked with law enforcement to give a decryptor to affected DoNex victims covertly.
The cryptographic vulnerability was widely discussed at Recon 2024, compelling the researchers to reveal the problem and its ramifications publically.
The Vulnerability
Avast researchers discovered that the DoNex ransomware went through many rebrandings after its original identification as Muse in April 2022. Subsequent revisions of DoNex included a rebrand to a reported Fake LockBit 3.0 in November 2022, followed by DarkRace in May 2023, and lastly DoNex in March 2024.
Since April 2024, the team has discovered no further copies, and the ransomware group’s public TOR address remained dormant, implying that DoNex’s evolution and rebranding efforts may have ended.
How It Works
The DoNex malware uses a complicated encryption method. During execution, the CryptGenRandom function generates an encryption key. This key creates a ChaCha20 symmetric key, which is later used to encrypt files.
Content was cut in order to protect the source.Please visit the source for the rest of the article.Read the original article: