{"id":25609,"date":"2024-07-08T19:00:41","date_gmt":"2024-07-08T19:00:41","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=25609"},"modified":"2024-07-16T16:11:47","modified_gmt":"2024-07-16T16:11:47","slug":"donex-ransomware-decryptor-released","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/donex-ransomware-decryptor-released\/","title":{"rendered":"Donex, DarkRace, fake LockBit 3.0 and Muse Ransomware Decryptor Released"},"content":{"rendered":"<p><strong>A decryptor for a Donex ransomware<\/strong>, also known under the name of Muse, DarkRace and LockBit 3.0, has been released by Avast specialists. They used a flaw in the cipher known for almost half a year to help with decryption privately, and now make the decryptor tool available to everyone. This is yet another ransomware family that has become decryptable since the beginning of 2024.<\/p>\n<h2>Donex a.k.a Muse\/DarkRace\/LockBit 3.0 Decryptor Released<\/h2>\n<p>On July 8 2024, researchers from Avast Decoded <a href=\"https:\/\/decoded.avast.io\/threatresearch\/decrypted-donex-ransomware-and-its-predecessors\/\" rel=\"noopener nofollow\" target=\"_blank\">published a decryptor tool<\/a> for DoNex ransomware. This malware family has been active since April 2022, originally bearing the name \u201cMuse ransomware\u201d. In November of the same year, they started mimicking the LockBit 3.0 ransomware, following <a href=\"https:\/\/gridinsoft.com\/blogs\/lockbit-builder-leaked\/\">the leak of the builder tool<\/a> of this infamous malware. About half a year later, the threat actor opted for the name DarkRace, which changed once again in March 2024 to Donex ransomware. That March rebranding appears to be the last in the group&#8217;s existence, as no new samples appear since May of that year. And now, <strong>all its victims will get their files back to normal<\/strong> without paying a copper.<\/p>\n<div class=\"su-image-carousel  su-image-carousel-has-spacing su-image-carousel-has-outline su-image-carousel-adaptive su-image-carousel-slides-style-default su-image-carousel-controls-style-dark su-image-carousel-align-center\" style=\"\" data-flickity-options='{\"groupCells\":true,\"cellSelector\":\".su-image-carousel-item\",\"adaptiveHeight\":true,\"cellAlign\":\"left\",\"prevNextButtons\":true,\"pageDots\":true,\"autoPlay\":5000,\"imagesLoaded\":true,\"contain\":false,\"selectedAttraction\":0.007,\"friction\":0.25}' id=\"su_image_carousel_696d0689805b5\"><div class=\"su-image-carousel-item\"><div class=\"su-image-carousel-item-content\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" width=\"1029\" height=\"753\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/07\/muse-ransomware.webp\" class=\"\" alt=\"Muse ransom note\" title=\"\"><span>Ransom note of Muse ransomware<\/span><\/div><\/div><div class=\"su-image-carousel-item\"><div class=\"su-image-carousel-item-content\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" width=\"1029\" height=\"753\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/07\/darkrace.webp\" class=\"\" alt=\"DarkRace Ransomware note\" title=\"\"><span>Ransom note of DarkRace ransomware<\/span><\/div><\/div><div class=\"su-image-carousel-item\"><div class=\"su-image-carousel-item-content\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" width=\"1029\" height=\"753\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/07\/fake-lockbit.webp\" class=\"\" alt=\"Ransom note Fake Lockbit 3.0\" title=\"\"><span>Ransom note of fake Lockbit 3.0 ransomware<\/span><\/div><\/div><div class=\"su-image-carousel-item\"><div class=\"su-image-carousel-item-content\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" width=\"1029\" height=\"753\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/07\/donex.webp\" class=\"\" alt=\"Donex ransom note\" title=\"\"><span>Ransom note of Donex ransomware<\/span><\/div><\/div><\/div><script id=\"su_image_carousel_696d0689805b5_script\">if(window.SUImageCarousel){setTimeout(function() {window.SUImageCarousel.initGallery(document.getElementById(\"su_image_carousel_696d0689805b5\"))}, 0);}var su_image_carousel_696d0689805b5_script=document.getElementById(\"su_image_carousel_696d0689805b5_script\");if(su_image_carousel_696d0689805b5_script){su_image_carousel_696d0689805b5_script.parentNode.removeChild(su_image_carousel_696d0689805b5_script);}<\/script>\n<p>For almost half a year, since March 2024, Avast had the decryptor on hand, using it without public disclosure. This allowed them to save money for quite a few companies that fell victim <a href=\"https:\/\/gridinsoft.com\/ransomware\">to the malware<\/a>, while the hackers had no clue that something was going on. But now, a few months past the last sign of Donex ransomware activity, they decided to make the decryptor public. The entire case of having the effective and working decryption solution is possible due to the flaw present in the ransomware encryption mechanism.<\/p>\n<p><strong>Why didn\u2019t they just make it public<\/strong> as soon as they discovered that flaw? Well, that would have given the hackers a clue about where exactly there has been a vulnerability, leading to it being patched, which would consequently render the decryptor useless. What cybercriminals have seen instead is a slow-but-steady decrease in the number of victims that have paid the ransom. And even though this may be a clue itself, there\u2019s no guidance on where the issue is exactly.<\/p>\n<h2>How do I use the decryptor?<\/h2>\n<p>The program that the researchers released has a friendly interface that is not hard to deal with even for an ordinary user. After downloading it from the developers\u2019 website, one will see an interface with detailed description for each step to come through. <strong>The only requirement is to have a so-called file pair<\/strong>: a version of a file in an encrypted and \u201cnormal\u201d state. This would allow the tool to figure out the decryption key.<\/p>\n<p><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/07\/avast-decryptor-donex.webp\" alt=\"Avast decryptor for Donex\" width=\"710\" height=\"537\" class=\"aligncenter size-full wp-image-25618\" title=\"\" srcset=\"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/07\/avast-decryptor-donex.webp 710w, https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/07\/avast-decryptor-donex-300x227.webp 300w\" sizes=\"auto, (max-width: 710px) 100vw, 710px\" \/><\/p>\n<p>Once this manipulation with the key is complete, the program will automatically proceed with the rest of the files. Time elapsed for this procedure depends on the amount of files, and, obviously, the system\u2019s calculation power. Unfortunately, there is no mass-decryption tool that will allow lifting the encryption from the entire network, for example. Still better than nothing though, especially considering that the frauds are no longer active and will likely ignore even genuine contacts for payment or negotiations.<\/p>\n<p style=\"padding-top:15px;padding-bottom:15px;\"><a href=\"\/download\/antimalware\" rel=\"nofollow\"><img loading=\"lazy\" loading=\"lazy\" decoding=\"async\" src=\"\/blogs\/wp-content\/uploads\/2022\/07\/env02.webp\" alt=\"Donex, DarkRace, fake LockBit 3.0 and Muse Ransomware Decryptor Released\" width=\"798\" height=\"336\" class=\"aligncenter size-full\" title=\"\"><\/a><\/p>\n<p>The decryptor for <a href=\"https:\/\/gridinsoft.com\/blogs\/black-basta-ransomware-free-decryptor-available\/\">one more ransomware<\/a> is yet another reason to emphasize: you should never pay the hackers. <strong>Sooner or later, there will be a solution<\/strong> that will manage to get your files back. For now, make your infrastructure protected and always have a backup stored in a reliable place.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A decryptor for a Donex ransomware, also known under the name of Muse, DarkRace and LockBit 3.0, has been released by Avast specialists. They used a flaw in the cipher known for almost half a year to help with decryption privately, and now make the decryptor tool available to everyone. This is yet another ransomware [&hellip;]<\/p>\n","protected":false},"author":7,"featured_media":25620,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[15],"tags":[548,55],"class_list":{"0":"post-25609","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-security-news","8":"tag-decryption-keys","9":"tag-ransomware"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/07\/donex-decryptor-released-featured.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/25609","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=25609"}],"version-history":[{"count":6,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/25609\/revisions"}],"predecessor-version":[{"id":25623,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/25609\/revisions\/25623"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/25620"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=25609"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=25609"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=25609"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}