Decryption Tool for Muse, DarkRace, and DoNex Released by Avast

Victims can now reclaim their data without shelling out any ransom. We show you how.

Victims of the encryption Trojans Muse, DarkRace and DoNex can now access their data again without paying a ransom.

The clever folks at Avast have found a cryptographic weak spot in the DoNex ransomware and its relatives. Using this discovery, they released a decryption tool. Since March 2024, they've been quietly handing out this decryptor to DoNex victims. Now, Avast has decided to make the tool available as a free download for everyone.

Muse, DarkRace, DoNex Trojan ransomware

According to a report by Avast security researchers, this sneaky malware has been on quite a branding journey. Starting as Muse in April 2022, it morphed into fake LockBit 3.0 by November, transformed into DarkRace by May 2023, and then rebranded as DoNex from March 2024. The decryption tool is designed to tackle all these variants, because why settle for just one headache when you can solve several?

According to the researchers, the malware primarily targeted Italy and the USA, with a few hits in Germany for good measure. How extensive were these attacks? Your guess is as good as ours, because nobody really knows. The good news? No new samples of this ransomware have been spotted since April 2024, and their Tor website has also been offline since then.

Screenshot

Decrypting data

The Avast developers of the decryption tool explain how victims can identify which variant has hit them. After downloading and installing the tool, victims only need to select the folders with the encrypted files. But for the decryption to work, victims need the unencrypted original version of the largest possible encrypted file.

Download Avast Decryptor DoNex here

Only then can the password cracking begin. Since this process requires a lot of memory, the researchers recommend using the 64-bit version of the tool. Avast is not currently explaining exactly where the vulnerability in the encryption can be found.

Find more decryption tools

On the ID Ransomware website, victims of ransomware Trojans can find out which ransomware has attacked them and whether a decryption tool already exists by uploading a ransom note. At the time of this report, the service detects 1145 encryption Trojans.

So, happy decrypting!

about author