Donut group unleashes its own ransomware for double extortion attacks

Share post:

The Donut (D0nut) extortion group has revealed its own ransomware for enterprise double-extortion attacks.

To avoid detection, it sends ransom notes that are heavily abstracted, with all strings encoded and the JavaScript decoding the ransom note in the browser. These ransom notes include various methods for contacting the threat actors, such as TOX and a Tor negotiation site.

For double-extortion attacks, the group is said to use its own customized ransomware. Donut spreads via spam emails (malicious attachments), third-party software download sources (freeware download websites, free file hosting sites, peer-to-peer [P2P] networks, and so on), bogus software updaters, and trojans.

Donut then appends the “.donut” extension to each encrypted file’s name. For instance, “sample.jpg” is renamed “sample.jpg.donut.” Data that has been compromised is rendered useless immediately. Donut changes the desktop wallpaper, opens a pop-up window, and generates a text file (“decrypt.txt”), placing a copy in each existing folder after successfully encrypting data.

A ransom-demand message appears on the desktop wallpaper, pop-up window, and text file. The message, as usual, states that the files have been encrypted and that the victim must purchase a decryption tool to restore them. Donut currently does not specify whether it employs symmetric or asymmetric cryptography; this information is not provided. Decryption, on the other hand, requires a unique key generated for each victim. All keys are hidden on a remote server by developers.

When this occurs, victims are encouraged to pay a ransom in exchange for a ‘decryption tool’ containing the key. The fee is $100, which must be paid in Bitcoin cryptocurrency.

The sources for this piece include an article in BleepingComputer.

Featured Tech Jobs



Related articles

Federal Bureau of Investigation (FBI) warns of scammers using AI for sextortion

The FBI has warned about scammers using AI to create explicit deepfake images and videos known as "sextortion." Scammers...

Florida man pleads guilty to selling counterfeit Cisco gear

Onur Aksoy, a 39-year-old entrepreneur from Miami, has confessed to engaging in a massive counterfeit scheme involving Cisco...

Survey reveals insecurity increase in Software-as-a-Service (SaaS) market

A survey conducted by CSA and Adaptive Shield revealed an increase in the amount of security incidents within...

British Airways, BBC, Boots affected by MOVEit vulnerability

British Airways, the BBC, and U.K. pharmacy chain Boots fell victim to a data breach caused by a...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways