Blog Layout
The Cybersecurity Lair™ • July 8, 2024

Latest News | New Decryptor Unveiled for DoNex, Muse, DarkRace, and Fake LockBit 3.0 Ransomware

Avast researchers have created a decryptor for DoNex ransomware and its variants due to a cryptographic weakness.

A cryptographic vulnerability in the DoNex ransomware and its variants allowed Avast researchers to develop an effective decryptor, highlighting the importance of identifying and exploiting weaknesses in ransomware for creating decryption tools.


The researchers identified a cryptographic vulnerability in the ransomware and its previous versions, including Muse, DarkRace, and the fake LockBit 3.0. This weakness enabled them to develop a decryptor, which they have been providing to victims since March 2024 in collaboration with law enforcement. DoNex, which appeared in early March 2024, has primarily targeted victims in the US, Italy, and Belgium. Since April 2024, no new samples of DoNex have been detected, and its TOR site has been inactive. The decryptor requires victims to provide specific encrypted files and their originals to determine the decryption password. The tool has now been publicly released following the disclosure of the weakness at the Recon 2024 conference.

Key Points:



  • Avast discovered a cryptographic weakness in DoNex ransomware and its variants.
  • A decryptor has been developed and used silently since March 2024.
  • DoNex ransomware appeared in early March 2024 and targeted companies in the US, Italy, and Belgium.
  • No new DoNex samples have been detected since April 2024, and its TOR site is down.
  • Victims need to provide encrypted files and their originals to use the decryptor.
  • The decryptor has a default option to back up encrypted files before decryption.
  • The decryptor was publicly released after the weakness was disclosed at the Recon 2024 conference.


Sources and further reading.


Zorz, Z. (2024, July 8). Decryptor for DoNex, Muse, DarkRace, (fake) LockBit 3.0 ransomware released - Help Net Security. Help Net Security. https://www.helpnetsecurity.com/2024/07/08/decryptor-donex-muse-darkrace-fake-lockbit-3-0/


Jones, C. (2024, July 8). Avast secretly gave DoNex ransomware decryptors to victims before crims vanished. The Register. https://www.theregister.com/2024/07/08/avast_secretly_gave_donex_ransomware/

Share by: