Recon 2024

Cryptography is hard: Breaking the DoNex ransomware
06-30, 09:30–10:00 (US/Eastern), Grand Salon

In recent years, ransomware has been one of the most prolific forms of cybercrime with financial gain as primary motive. The problem keeps getting bigger with a new operation seeing the light almost every month. While reverse engineering ransomware is fun, it also serves a greater purpose: can we find a vulnerability that allows us to decrypt a victim’s files without interacting with the criminals?

Enter the DoNex ransomware, a new operation that has entered the scene very recently. They have a leak website on the dark web where some victims have been named and shamed. Reverse engineering of a DoNex sample revealed a vulnerability that allowed us to decrypt every encrypted file for victims under a trivial condition. To help victims recover from a ransomware attack, we published a decryption tool on the NoMoreRansom platform, an initiative from a number of parties including the Dutch National Police to keep ransomware operators from extorting victims.

In this talk, we will dive into the technical details of DoNex and how we exploited a vulnerability to decrypt files affected by DoNex without the need to negotiate with the cybercriminals.

See also: Slides (1.9 MB)

Gijs is a cyber threat intelligence analyst and malware reverse engineer at the Dutch National Police where he defends the Police organization from cyber attacks. He previously worked at the CERT of Tesorion, a Dutch cyber security company where he reverse engineered various ransomware families and published decryption tools to the NoMoreRansom initiative to help victims recover from attacks.