November 23, 2022

The Donut (D0nut) extortion group has revealed its own ransomware for enterprise double-extortion attacks.

To avoid detection, it sends ransom notes that are heavily abstracted, with all strings encoded and the JavaScript decoding the ransom note in the browser. These ransom notes include various methods for contacting the threat actors, such as TOX and a Tor negotiation site.

For double-extortion attacks, the group is said to use its own customized ransomware. Donut spreads via spam emails (malicious attachments), third-party software download sources (freeware download websites, free file hosting sites, peer-to-peer [P2P] networks, and so on), bogus software updaters, and trojans.

Donut then appends the “.donut” extension to each encrypted file’s name. For instance, “sample.jpg” is renamed “sample.jpg.donut.” Data that has been compromised is rendered useless immediately. Donut changes the desktop wallpaper, opens a pop-up window, and generates a text file (“decrypt.txt”), placing a copy in each existing folder after successfully encrypting data.

A ransom-demand message appears on the desktop wallpaper, pop-up window, and text file. The message, as usual, states that the files have been encrypted and that the victim must purchase a decryption tool to restore them. Donut currently does not specify whether it employs symmetric or asymmetric cryptography; this information is not provided. Decryption, on the other hand, requires a unique key generated for each victim. All keys are hidden on a remote server by developers.

When this occurs, victims are encouraged to pay a ransom in exchange for a ‘decryption tool’ containing the key. The fee is $100, which must be paid in Bitcoin cryptocurrency.

The sources for this piece include an article in BleepingComputer.