Heimdal
Home > Cybersecurity News

Donut Extortion Group Targets Victims with Double-Extortion Ransomware Attacks

Multiple Companies Already Affected by the Operation.

Last updated on November 23, 2022

article featured image

Contents:

The Donut extortion group has been confirmed by cybersecurity experts to deploy ransomware in double-extortion attacks on organizations. Since August of this year, the extortion group has been linked with attacks on multiple companies such as DESFA, Sheppard Robson, and construction company Sando.

Based on various evidence, it is believed that behind the Donut Leaks there is an affiliate for numerous operations, trying to monetize the data in their own operation. Such suspicions aroused after the data for Sando and DESFA was also posted to the sites of other operations, with Sando being claimed by Hive ransomware, and DESFA by Ragnar Locker.

The Donut Operation: What Is It?

BleepingComputer found a sample of an encryptor for the Donut operation, finding out that the threat group is using its own custom ransomware for double-extortion attacks.

Although the ransomware is still being examined, when it is run, it will look for files with particular extensions to encrypt. Files and folders with the following strings will not be encrypted by the ransomware:

  • Edge
  • ntldr
  • Opera
  • bak
  • Chrome
  • DAT
  • ini
  • AllUsers
  • Chromium
  • bootmgr
  • Windows
  • db
  • ini
  • dat
  • ini
  • efi
  • inf

Example of Files Encrypted by the Donut Ransomware (Source)

The ransom notes deployed by the malware are heavily obfuscated to avoid detection, with all strings encoded and the JavaScript decoding the note in the browser. There are other ways to get in touch with the threat actors listed in these ransom notes, including TOX and a Tor negotiation site.

Donut Ransomware Negotiation Site (Source)

The ransomware operation also includes a “builder” on their data leak site, which is currently broken as it uses HTTPS URLs. The builder consists of a bash script to create a Windows and Linux Electron app with a Tor client bundled to access their leak sites.

This extortion group is one to watch out for, not only for its capabilities but also for its ability to market itself.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu

CONTENT EDITOR

linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

Related Articles

Double Extortion Ransomware: The New NormalLocking Out Cybercriminals: Here’s How to Prevent Ransomware AttacksFBI Reveals: Hive Ransomware Extorted $100M from 1,300 CompaniesDESFA Suffers Cyberattack, Ragnar Locker Ransomware Claims ResponsibilityHow to Mitigate Ransomware?Ransomware Explained. What It Is and How It WorksHTTPS Security 101: What You Need to Know

Leave a Reply

Your email address will not be published. Required fields are marked *

CHECK OUR SUITE OF 11 CYBERSECURITY SOLUTIONS

SEE MORE
linkedin
youtube
facebook
x

resources

company

newsletter

© 2024 Heimdal®

Vat No. 35802495, Vester Farimagsgade 1, 2 Sal, 1606 København V