The D0nut Ransomware threat uses an uncrackable cryptographic algorithm to render the data of its victims completely unusable. Files, such as documents, images, photos, archives, databases, and many others will effectively be locked, and their restoration without knowing the correct decryption keys will be practically impossible. The threat actors responsible for the D0nut Ransomware are financially motivated and will try to extort money from the users or organizations they breach successfully.
Victims of the threat will notice that all affected files are marked by having '.d0nut' attached to their original names as a new file extension. The threat will drop three ransom notes on the infected systems. Two of the ransom-demanding messages will be delivered as files named 'd0nut.html', while a different set of instructions will be shown in a pop-up window.
The two HTML files contain nearly identical instructions. Apparently, the hackers give their victims 96 hours to establish contact before increasing the size of the ransom they will demand for the restoration of the locked data. In addition, the hackers state that they may decrypt for free up to 2 files that are less than 2MB in total size and do not contain important information. Two communication channels are mentioned in the ransom note - using the Tox chat client or visiting a dedicated website hosted on the TOR network.
The instructions delivered as HTML files are similar to:
'Microsoft Windows [Version 0.0.31337.0.0]
(c) Microsoft Corporation. All rights reserved.
C:\Users\Administrator> powershell Get-EventLog Security
Not so long ago, we discovered a serious problem with your network and decided to help you. So what happened?
All files are encrypted with Integrated Encryption Scheme.
The file structure was not damaged. You have been assigned a unique identifier. After infection, you have 96 hours to declare decryption. After the expiration of 96 hours, decryption cost will be automatically increased.
Now you should send us message with your personal ID, which is at the bottom of the message.We hope that you understand the importance of the work we have done, if the vulnerability were found by someone else, it is possible that the consequences of the attack could be much more sensitive than the usual payment of money due to us for work.
Before paying you can send us 2 files for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information (databases, backups, large excel
Attention! If you want to RECOVER YOUR DATA without problems - NEVER reboot, disconnect hard drives or take any action unless you know WHAT YOU ARE DOING!!!
Otherwise, we cannot be 100% sure that the decryptor will work correctly.
THIS IS ESPECIALLY RELATED TO ESXI!!!
If you will try to use any third party software for restoring your data or antivirus solutions - this can lead to complete damage to all files and their irrecoverable loss, since it will no longer be possible to restore them. Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
your personal id: F3AA226DACCDA0EF
Username and password are identical to above. Since we are using SSL(https) encryption as well as .onion, the certificate is not properly signed, otherwise our server IP address would be visible to everyone. So in order to get into the chat, you need to confirm the insecure connection exception. Thank you for understanding.
You can download TOX here > hxxps://tox.chat/download.html
You can also write to the chat located in TOR network at:
You can download TOR browser here > hxxps://www.torproject.org/download/
our TOX below >:)
All the best and good mood, I hope you carefully read this message and already know what to do XDXD'
The pop-up window displayed the following ransom note:
ATTENTION!!! The system is locked.
'All data is already encrypted. In order to avoid losses, we recommend that you carefully read the instructions.
Your personal ID: -
It is also the password to access the chat.
Press OK button to download the chat app where you can get more support.
ATTENTION: hxxps://transfer.sh should not be in a blocklist.