Security News > 2024 > July > Avast secretly gave DoNex ransomware decryptors to victims before crims vanished

Researchers at Avast have provided decryptors to DoNex ransomware victims on the down-low since March after discovering a flaw in the crims' cryptography, the company confirmed today.

Avast offered a brief explanation about how DoNex encrypts victims' data, but annoyingly didn't actually offer any insight into the flaw in its schema.

"During the ransomware execution, an encryption key is generated by CryptGenRandom() function," Avast says in a blog post.

"This key is then used to initialize ChaCha20 symmetric key and subsequently to encrypt files. After a file is encrypted, the symmetric file key is encrypted by RSA-4096 and appended to the end of the file. The files are picked by their extension, and file extensions are listed in the ransomware XML config."

"For small files, the entire file is encrypted. For files with size greater than 1 MB, intermittent encryption is used - the file is split into blocks and those blocks are encrypted separately."

The decryptor itself is available as a free download and Avast recommends victims run it as administrator, preferably while using the 64-bit version.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/07/08/avast_secretly_gave_donex_ransomware/