Ransomware: Decryption tool for Muse, DarkRace and DoNex released

Contents

Security researchers from Avast have discovered a cryptographic weakness in the encryption routine of the Windows ransomware Muse and its descendants. Based on this, they have developed a decryption tool which they are now offering for free download.

Germany affected

According to a report by the security researchers, the Muse ransomware Trojan has been active since April 2022 and has undergone several rebrandings since then. From November 2022, the malware was on the move as fake LockBit 3.0. In May 2023, it became DarkRace. From March 2024, the Trojan operated under the name DoNex. The decryption tool should help with all variants.

The researchers state that the malware was mainly used in targeted attacks in Italy and the USA. However, there have also been attacks in Germany. The extent of the attacks is currently unknown. According to the researchers, they have not observed any new samples of the ransomware since April 2024. The Tor website has also been offline since then.

Decrypting data

In their article, the developers of the decryption tool explain how victims can recognize which variant has hit them. After downloading and installing the tool, victims only need to select the folders containing the encrypted files. However, for the decryption to work, victims need the original unencrypted version of the largest possible encrypted file.

Only then can the password cracking process begin. As this process requires a lot of memory, the researchers recommend using the 64-bit version of the tool. Avast does not currently specify where exactly the vulnerability in the encryption can be found.

Find more decryption tools

On the ID Ransomware website, victims of blackmail Trojans can find out which ransomware has hit them and whether a decryption tool already exists by uploading a ransom note. At the time of this writing, the service detects 1145 encryption Trojans.

(des)