Jump to content
  • Donut extortion group also targets victims with ransomware

    alf9872000

    • 394 views
    • 3 minutes
     Share


    • 394 views
    • 3 minutes

    The Donut (D0nut) extortion group has been confirmed to deploy ransomware in double-extortion attacks on the enterprise.

     

    BleepingComputer first reported on the Donut extortion group in August, linking them to attacks on Greek natural gas company DESFA, UK architectural firm Sheppard Robson, and multinational construction company Sando.

     

    Strangely, the data for Sando and DESFA was also posted to several ransomware operations’ sites, with the Sando attack claimed by Hive ransomware and DESFA claimed by Ragnar Locker.

     

    Unit 42 researcher Doel Santos also shared that the TOX ID used in ransom notes was seen in samples of the HelloXD ransomware.

     

    This cross-posting of stolen data and affiliation leads us to believe the threat actor behind Donut Leaks is an affiliate for numerous operations, now trying to monetize the data in their own operation.

    The Donut ransomware

    This week, BleepingComputer found a sample [VirusTotal] of an encryptor for the Donut operation, aka D0nut, showing that the group is using its own customized ransomware for double-extortion attacks.

     

    The ransomware is still being analyzed, but when executed, it will scan for files matching specific extensions to encrypt. When encrypting files, the ransomware will avoid files and folders containing the following strings:

    Edge
    ntldr
    Opera
    bootsect.bak
    Chrome
    BOOTSTAT.DAT
    boot.ini
    AllUsers
    Chromium
    bootmgr
    Windows
    thumbs.db
    ntuser.ini
    ntuser.dat
    desktop.ini
    bootmgr.efi
    autorun.inf
    

    When a file is encrypted, the Donut ransomware will append the .d0nut extension to encrypted files. So, for example, 1.jpg will be encrypted and renamed to 1.jpg.d0nut, as shown below.

     

    encrypted-files.jpg

    Files encrypted by the Donut Ransomware - Source: BleepingComputer

     

    The Donut Leaks operation has a flair for theatrics, using interesting graphics, a bit of humor, and even offering a builder for an executable that acts as a gateway to their Tor data leak site (see below).

     

    This flair is especially shown in its ransom notes, where they use different ASCII art, such as the spinning ASCII donut below.

     

    ransom-note.gif

    Donut ransom note

     

    Another ransomware note seen by BleepingComputer pretends to be a command prompt displaying a PowerShell error, which then prints a scrolling ransom note.

     

     

    The ransom notes are heavily obfuscated to avoid detection, with all strings encoded and the JavaScript decoding the ransom note in the browser.

     

    These ransom notes include different ways to contact the threat actors, including via TOX and a Tor negotiation site. 

     

    tor-negotiation-site.jpg

    Donut ransom negotiation site - Source: BleepingComputer

     

    The Donut ransomware operation also includes a "builder" on their data leak site that consists of a bash script to create a Windows and Linux Electron app with a bundled Tor client to access their data leak sites.

     

    donut-electron-app.jpg

    D0nut ransomware electron app

     

    This app is currently "broken" as it uses HTTPS URLs, which are not currently operational.

     

    Overall, this extortion group is one to keep an eye out for, not only for their apparent skills but their ability to market themselves.

     


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...