Donut (D0nut) extortion group is launching double-extortion attacks on enterprises. Since its detection in August, the group has been involved in cross-posting of stolen data, indicating an affiliate-based association with several threat groups, including Hive and Ragnar Locker. Now it has launched its own encryptor.

The latest discovery

BleepingComputer researchers have found new samples of an encryptor for Donut ransomware and confirmed that it is using its own customized ransomware in recent attacks.
  • On execution, Donut scans for files matching specific extensions to encrypt. It avoids certain files and specific folders containing the strings for Edge, Opera, Chromium, Windows, thumbs.db, ntuser.ini, and others.
  • After encryption, it adds the .d0nut extension to encrypted files. The Donut Leaks operation uses interesting graphics and humorous content in its ransom notes.

Interesting ransom notes

The ransom notes used in Donut operations are heavily obfuscated with all strings encoded and the JavaScript decoding the ransom note in the browser.
  • One ransomware note was showing a spinning ASCII donut and another pretended to be a command prompt displaying a PowerShell error, which then printed a scrolling ransom note.
  • These notes include different links to TOX and Tor negotiation sites to contact the threat actors.

Additional builder for access

  • In addition to the encryptor, it has developed a builder for an executable with a bundled Tor client to access its data leak sites.
  • The builder consists of a bash script to create a Windows and Linux Electron app that uses HTTPS URLs. The app is currently broken as URLs are non-operational so far.

Past links

In the past, this group has shown some connection or affiliation with several prominent ransomware groups.
  • The ransomware attacks on DESFA, Sheppard Robson, and Sando in August, claimed by the Donut Leaks group, were claimed by Ragnar Locker and Hive group as well, and they also leaked the allegedly stolen data on their respective leak sites.
  • However, BleepingComputer reports that the Donut Leaks site shared far more extensive data, indicating that it was involved in the attacks.

Conclusion

The latest discovery shows that Donut Leaks has worked as an affiliate for numerous operations and now it is developing its own encryption tool to monetize the data. With customized ransomware for double-extortion attacks, the group is capable of becoming a persistent threat. Users are recommended to not pay a ransom as it may not prevent their data from being leaked and could be used to further extortion demands.
Cyware Publisher

Publisher

Cyware