Donut group unleashes its own ransomware for double extortion attacks

The Donut (D0nut) extortion group has revealed its own ransomware for enterprise double-extortion attacks.

To avoid detection, it sends ransom notes that are heavily abstracted, with all strings encoded and the JavaScript decoding the ransom note in the browser. These ransom notes include various methods for contacting the threat actors, such as TOX and a Tor negotiation site.

For double-extortion attacks, the group is said to use its own customized ransomware. Donut spreads via spam emails (malicious attachments), third-party software download sources (freeware download websites, free file hosting sites, peer-to-peer [P2P] networks, and so on), bogus software updaters, and trojans.

Donut then appends the “.donut” extension to each encrypted file’s name. For instance, “sample.jpg” is renamed “sample.jpg.donut.” Data that has been compromised is rendered useless immediately. Donut changes the desktop wallpaper, opens a pop-up window, and generates a text file (“decrypt.txt”), placing a copy in each existing folder after successfully encrypting data.

A ransom-demand message appears on the desktop wallpaper, pop-up window, and text file. The message, as usual, states that the files have been encrypted and that the victim must purchase a decryption tool to restore them. Donut currently does not specify whether it employs symmetric or asymmetric cryptography; this information is not provided. Decryption, on the other hand, requires a unique key generated for each victim. All keys are hidden on a remote server by developers.

When this occurs, victims are encouraged to pay a ransom in exchange for a ‘decryption tool’ containing the key. The fee is $100, which must be paid in Bitcoin cryptocurrency.

The sources for this piece include an article in BleepingComputer.

IT World Canada Staff
IT World Canada Staff
The online resource for Canadian Information Technology professionals.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web