FANDOM


Donut is a ransomware that stealthily infiltrates the system and encrypt most stored files.

Payload

Transmission

Donut is distributed through spam emails (malicious attachments), third party software download sources (freeware download websites, free file hosting sites, peer-to-peer [P2P] networks, etc.), fake software updaters, and trojans.

Infection

In doing so, Donut adds the ".donut" extension to the name of each encrypted file. For example, "sample.jpg" is renamed to "sample.jpg.donut". Compromised data immediately becomes unusable. After successfully encrypting data, Donut changes the desktop wallpaper, opens a pop-up window, and generates a text file ("decrypt.txt"), placing a copy in every existing folder.

The desktop wallpaper, pop-up window, and text file contain an identical ransom-demand message. As usual, the message states that files are encrypted and that the victim must purchase a decryption tool to restore them. It is currently unknown whether Donut uses symmetric or asymmetric cryptography - this information is not provided, however, decryption certainly requires a unique key generated individually for each victim.

Developers hide all keys on a remote server. Therefore, victims are encouraged to pay a ransom in exchange for a 'decryption tool' with the key embedded within. The cost is $100 and must be paid using the Bitcoin cryptocurrency.

Text presented in Donut pop-up window, wallpaper, and text file ("decrypt.txt"):

Hi.
All your files have been ENCRYPTED by DONUT Ransomware.
Do you want to restore your files?
Your should buy DonutDecryptor.
Current Price $100.
For payment your need cryptocurrency BitCoin.
Write to our email - donutmmm @tutanota.com
and tell us your unique ID and BitCoin transaction.
Your Uniq ID is: v0I7l8WfkDzaCz2rW3bJt6TbMqNZDpKz
BitCoin wallet is: 1MVB7wbeF1yLGRCUmVdgiDWMD7yRspJX8C
Community content is available under CC-BY-SA unless otherwise noted.