From decoded.avast.io
DoNex and its Brothers
The DoNex ransomware has been rebranded several times. The first brand, called Muse, appeared in April 2022. Multiple evolutions followed, resulting in the final version of the ransomware, called DoNex. Since April 2024, DoNex seems to have stopped its evolution, as we have not detected any new samples since. Additionally, the TOR site of the ransomware has been down since that point. The following is a brief history of DoNex.
| Apr 2022 | The first sample of Muse ransomware |
| Nov 2022 | Rebrand to fake LockBit 3.0 |
| May 2023 | Rebrand to DarkRace |
| Mar 2024 | Rebrand to DoNex |
All brands of the DoNex ransomware are supported by the decryptor.
DoNex uses targeted attacks on its victims and it was most active in the US, Italy, and Belgium based on our telemetry.