DonutLeaks emerged in 2022 as a notable data-extortion actor, evolving from affiliations with Hive and Ragnar Locker to developing its own approach and encryptor. The group now emphasizes data exfiltration and publication on leak sites, targeting sectors such as healthcare and high-profile enterprises like DESFA, Sheppard Robson, and Sando, while engaging in inter-group disputes within the ransomware ecosystem. #DonutLeaks #DESFA #SheppardRobson #Sando #Hive #RagnarLocker #MONTI #INC_Ransomware
Keypoints
- DonutLeaks began in 2022 as a double-extortion actor and expanded from affiliate links to its own ransomware ecosystem.
- Victims include DESFA (Greek natural gas), UK firm Sheppard Robson, and multinational Sando, illustrating wide industry reach.
- While early activity included encryption with a distinctive .d0nut extension, recent operations emphasize data exfiltration and public leakage rather than encryption.
- Ransom notes evolved with creative designs, encoding techniques, and JavaScript to conceal messages and enhance extortion signaling.
- Tools and infrastructure include a TOR-enabled program generator to improve access to data leak sites, underscoring emphasis on anonymity and reach.
- DonutLeaks has a history of disputes with other groups (e.g., MONTI) and claims of integrity and security in response to accusations.
- Victimology spans multiple regions and sectors, with healthcare highlighted due to the sensitivity of data involved.
MITRE Techniques
- [T1486] Data Encrypted for Impact – ‘This customized ransomware, upon execution, selectively encrypts files with specific extensions while avoiding critical system files and directories. Encrypted files bear the distinct “.d0nut” extension’
- [T1041] Exfiltration Over Web Service – ‘The group shares its victims on the data leak site and displays the victims whose data it publishes in the index section, ready for download.’
- [T1027] Obfuscated/Compressed Files and Information – ‘They hide their messages using special techniques, like encoding and JavaScript.’
- [T1059.007] JavaScript – ‘Some notes even have funny pictures, like a spinning donut made of text. They hide their messages using special techniques, like encoding and JavaScript.’
- [T1090] Proxy – ‘A tool to create programs with a TOR client inside. This tool helps them reach their data leak sites better’
Indicators of Compromise
- [File extension] – .d0nut – Encrypted files bear the extension, indicating DonutLeaks’ ransomware activity (example: document.pdf.d0nut).
- [Credential] – admin cPanel login credentials – Alleged credentials for DonutLeaks’ admin cPanel surfaced in a dispute, though later stated as non-functional.