Researchers have spotted the Donut extortion group launching a ransomware attack through double-extortion tactics. Based on a recent sample found by researchers, an encryptor for the Donut activity revealed that the group utilises its specially crafted ransomware for running a double-extortion operation.
As of now, the actor’s specially crafted ransomware is being studied. However, the initial examination of the ransomware showed that if its operator executes it, it could scan for files that match specific extensions to encrypt.
Moreover, the ransomware will overlook files and folders that include strings when encrypting files. Subsequently, the Donut ransomware will use the [.]d0nut extension to append the encrypted files.
Hence, an encrypted file, such as archives with [.]jpg, will be renamed by the ransomware as [.]jpg[.]d0nut.
The Donut extortion group uses several kinds of spectacles like GIFs.
The Donut extortion actors have included theatrics like animation, graphic designs, and humorous images. They even offer a builder for an executable that behaves as a gateway to their Tor data leak.
These features are primarily included in the group’s ransom note. They use several ASCII arts, like the spinning ASCII donut seen by researchers in one of the ransom samples.
Furthermore, another type of ransom note from the threat group displayed a command prompt that portrayed a PowerShell error, slowly revealing a scrolling ransomware note for its victim.
The ransom notes from the threat group are hidden to bypass security detection, with all strings encoded and JavaScript decoding the ransom note in the web browser.
In addition, these ransom notes contain different methods to communicate with the threat actors, such as TOX and a Tor site. The ransomware operation also includes a builder on their data leak site with a bash script to develop a Linux and Windows Electron application with an attached Tor client to access their leak sites.
However, the threat actor’s app is currently unusable since it utilises HTTPS URLs, which are not operational. This extortion group should be at the top of every company’s watchlist since it has sophisticated skills and features that could pose a severe threat soon.
