Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime , Ransomware

What's the Best Strategy for Exploiting Flaws in Ransomware?

Researchers Privately Circulated DoNex Decryptor Before Police Publicized Their Own
What's the Best Strategy for Exploiting Flaws in Ransomware?
Shhh, there's a ransomware decryptor going around. (Image: Shutterstock)

What's the best strategy for handling a known vulnerability in ransomware that helps victims decrypt their files for free?

See Also: 5 Requirements for Modern DLP

Security researchers and law enforcement have two options: stealth or reach. Stealth prolongs the life of the vulnerability and the ability of security teams to exploit it. Reach makes sure that more people know about it, but only so long as it exists.

This wasn't a hypothetical scenario for DoNex ransomware. Dutch National Police published a free decryptor at the end of June, perhaps unaware that a security firm began privately circulating its own decryptor two months earlier.

"Reverse-engineering of a DoNex sample revealed a vulnerability that allowed us to decrypt every encrypted file for victims under a trivial condition," said Gijs Rijnders, who works as a cyberthreat analyst and malware reverse engineer for the Dutch National Police. He publicly detailed the vulnerability in a presentation at the annual Recon 2024 conference in Montreal on June 30 titled "Cryptography Is Hard: Breaking the DoNex Ransomware."

Rijnders' presentation detailed how decrypting DoNex-encrypted files has a few wrinkles, due to its developer's use of intermittent - also known as partial - encryption, which allows the malware to more quickly encrypt files, thus lowering the time available to responders to block the attack (see: Strike Force: Why Ransomware Groups Feel the Need for Speed).

In the case of DoNex, the malicious code only fully encrypts any file it encounters that's less than 1 megabyte. Otherwise, it's designed to encrypt the first 1MB of any file less than 10 MB in size; five different 1 MB blocks for larger files up to 100 MB in size; and 100 blocks of 1 MB each for files over 100 MB in size.

Victims can access the DoNexDecrypt decryptor via the public/private No More Ransom portal after uploading a sample of their crypto-locked files, which the service is designed to identify. Thanks to the free decryptor, victims can "decrypt files affected by DoNex without the need to negotiate with the cybercriminals," Rijnders said.

On Monday, security firm Avast publicly released its own decryptor for DoNex. "In cooperation with law enforcement organizations, we have been silently providing the decryptor to DoNex ransomware victims since March," Avast said in a Monday blog post, which links to its decryptor. "The cryptographic weakness was made public at Recon 2024 and therefore we have no reason to keep this secret anymore."

"I prefer not to publicly disclose details about #ransomware crypto failures, but as this one was already published, we are now sharing our #DoNex decryption tool publicly," Jakub Kroustek, Avast's malware research director, said in a post to the social platform X.

This isn't the first time a group has released a free decryptor after one was already being privately circulated by researchers and law enforcement.

In February, researchers detailed a vulnerability in a Windows version of the Rhysida ransomware and released a free decryptor. "There goes another one," Fabian Wosar, head of ransomware research at Emsisoft, said at the time via the social platform X.

He said that the vulnerability "was independently found by at least three other parties, who chose to circulate it in private instead of seeking publication and alerting Rhysida about their problem." Those parties included Avast, which discovered the vulnerability in October 2023; France's Computer Emergency Response Team in June 2023; and Wosar in May 2023.

Wosar said he used the secret decryptor to rescue "hundreds of systems."

Which approach - stealth or reach - is better isn't obvious. In the stealthy approach, researchers discover a workaround or build a decryption tool and distribute it within a trusted circle of other security researchers, ransomware response firms and law enforcement, so they can collectively help known victims on the sly and not tip off the ransomware group. The benefit is that it delays the ransomware group from learning that its crypto-locking malware has a flaw, because once the crooks cotton on to it, updated malware is sure to follow. The criminals, after all, are wielding ransomware to make money.

The drawback is that not all victims may be aware they could have access to a "get out of jail free" card. That's one reason security researchers recommend that all ransomware victims contact a reputable ransomware-fighting firm to see if any workarounds exist for what hit them. Such firms can also advise organizations that are weighing a ransom payment and share intelligence about how many of their files they're likely to recover, as well as help them negotiate down the attackers' ransom asking price.

Backers of the reach strategy follow a basic template: Security researchers or law enforcement simply publicly release a decryptor. The upside of this strategy is that the decryptor should be easy for any victim to find and access, even if they don't want to involve other organizations. The downside is that the crooks get tipped off that there's a flaw and will typically fix it posthaste, to the detriment of future victims.

Happily for anyone tackling unsolvable philosophical conundrums, the answer in this particular case study may not matter. "Since April 2024, DoNex seems to have stopped its evolution, as we have not detected any new samples since," Avast said on Monday. "Additionally, the Tor site of the ransomware has been down since that point."

Researchers say DoNex is the latest version of a strain of ransomware called Muse, which debuted in April 2022. Multiple evolutions followed, including DarkRace, which researchers say made use of LockBit source code leaked in September 2022 by a developer for that ransomware group.

DarkRace debuted in mid-2023 and practiced double extortion - holding stolen files to ransom in addition to demanding a ransom for a decryption tool - cybersecurity firm Cyble reported in June 2023. By then, it said, DarkRace's data leak site had gone dark after listing only two victims.

Earlier this year, a group called DoNex entered the fray, "utilizing samples that closely resemble those previously used by the DarkRace group, and LockBit by proxy," John Moutos, an intern at SANS Institute, said in an April blog post.

Files encrypted by DoNex get a .VictimID extension added to the end of their filename, said Symantec.

Researchers first spotted DoNex attacks in early March. "The file creation time of the samples is mid-February, so the ransomware may have been distributed prior to the date of the first report," Fortinet reported in April. The earliest victims added to the group's data leak site also appear to date from February.

Data leak blogs never tell the full story, as groups only list nonpaying victims, and even then may be faking victims to try and seem more formidable (see: Ransomware Groups' Data Leak Blogs Lie: Stop Trusting Them).

Whether the same developer or operators are behind Muse, DarkRace or DoNex isn't clear. Whether they rename and reboot their operation, using patched malware, remains an open question.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.eu, you agree to our use of cookies.