Decrypted: DoNex Ransomware and its Predecessors


DoNex and its Brothers

The DoNex ransomware has been rebranded several times. The first brand, called Muse, appeared in April 2022. Multiple evolutions followed, resulting in the final version of the ransomware, called DoNex. Since April 2024, DoNex seems to have stopped its evolution, as we have not detected any new samples since. Additionally,  the TOR site of the ransomware has been down since that point. The following is a brief history of DoNex.

Apr 2022The first sample of Muse ransomware
Nov 2022Rebrand to fake LockBit 3.0
May 2023Rebrand to DarkRace
Mar 2024Rebrand to DoNex

All brands of the DoNex ransomware are supported by the decryptor.

DoNex uses targeted attacks on its victims and it was most active in the US, Italy, and Belgium based on our telemetry.

Read more…