Dutch police have succeeded in cracking the DoNex ransomware, allowing victims to get their files back without paying. During the past
Recon 2024 Conference in Canada, the police presented their findings. The first version of the ransomware appeared in 2022, then under the name Muse. Since then, the creators have made several name changes, with DoNex being the latest. No new versions have been detected since April of this year, according to antivirus company Avast.
DoNex is active mainly in the Netherlands, the United States and Italy, according to a survey conducted by the virus protection agency. Like other ransomware groups, the DoNex group has a website on which they post the names of victims. For example, the group
claimed an attack on logistics provider Van der Helm through the website. Police investigated the ransomware and, through reverse engineering, managed to find a cryptographic vulnerability that made it possible to decrypt all victims' encrypted files.
"To help victims recover from a ransomware attack, we have published a decryption tool on the
NoMoreRansom platform, an initiative by a number of parties, including the Dutch police, to prevent ransomware operators from extorting victims," said Gijs Rijnders, cyber threat intelligence analyst and malware reverse engineer with the police. Antivirus company
Avast has also developed a decryption tool. How many victims the DoNex ransomware made is not known.
