The Donut (D0nut) extortion group has revealed its own ransomware for enterprise double-extortion attacks.
For double-extortion attacks, the group is said to use its own customized ransomware. Donut spreads via spam emails (malicious attachments), third-party software download sources (freeware download websites, free file hosting sites, peer-to-peer [P2P] networks, and so on), bogus software updaters, and trojans.
Donut then appends the “.donut” extension to each encrypted file’s name. For instance, “sample.jpg” is renamed “sample.jpg.donut.” Data that has been compromised is rendered useless immediately. Donut changes the desktop wallpaper, opens a pop-up window, and generates a text file (“decrypt.txt”), placing a copy in each existing folder after successfully encrypting data.
A ransom-demand message appears on the desktop wallpaper, pop-up window, and text file. The message, as usual, states that the files have been encrypted and that the victim must purchase a decryption tool to restore them. Donut currently does not specify whether it employs symmetric or asymmetric cryptography; this information is not provided. Decryption, on the other hand, requires a unique key generated for each victim. All keys are hidden on a remote server by developers.
When this occurs, victims are encouraged to pay a ransom in exchange for a ‘decryption tool’ containing the key. The fee is $100, which must be paid in Bitcoin cryptocurrency.
The sources for this piece include an article in BleepingComputer.