_d0nut

[Content by Gemini 2.5]

Ransomware Resource for Files Ending in _d0nut

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The ransomware appends the fixed suffix ._d0nut to the original file extension. Example: QuarterlyReport.xlsx._d0nut
  • Renaming Convention: Files keep their original base name and path. Sub-directories are not moved or renamed; only individual objects within each directory are changed.

2. Detection & Outbreak Timeline

  • First Sample Submitted: 30-Oct-2023 (Malware-Bazaar)
  • Initial Public Outbreak: 05-Nov-2023 (multiple victims on Reddit, BleepingComputer)
  • Spike in Activity: Mid-November 2023 infection campaigns, sustained through December and into Q1–2024 leveraging holiday phishing themes.

3. Primary Attack Vectors

| Vector | How it is used | Notes |
|——-|—————-|——-|
| Phishing e-mail | Attached ISO or ZIP containing Golang stub loader_d0nut binary | Usually faking “shipping invoice”, “FBI subpoena” |
| Vulnerable web-exposed services | Exploits Log4Shell (CVE-2021-44228) in un-patched Atlassian Confluence & CVE-2023-22515 in Jira Data Center | Lateral movement script then drops _d0nut |
| RDP brute-force & credential stuffing | Uses 80-most-common-password dictionary, then empire-style PsExec | Fast propagation inside flat networks |
| Malvertising chain | Fake MS Teams update page that chains Google Drive → Cobalt Strike → _d0nut ELF/EXE | Seen on Windows & Linux (Ubuntu 22.04) |

Remediation & Recovery Strategies

1. Prevention

  1. E-mail hygiene: SPF/DKIM/DMARC hardening + block password-protected ZIP/ISO at gateway
  2. Patch management: Immediate patch for Log4j (>=2.17.1) and Jira (9.4.9/8.20.15)
  3. RDP hardening: Enforce NLA + VPN-only access; block TCP 3389 at perimeter, activate account lockout policy
  4. Application control: Enable Windows AppLocker / Defender ASR rule Block executable files from running unless they meet a prevalence, age, or trusted list criterion
  5. Backup strategy: Use 3-2-1 golden rule (3 copies, 2 media, 1 offline/off-site) with immutability / WORM on cloud backups to nullify remote encryption

2. Removal

Step-by-step cleanup checklist (do not attach external storage until complete):

  1. Disconnect infected machine from all network segments.
  2. Boot into Safe Mode with Networking (Windows) or live Linux USB for dual-boot / Linux hosts.
  3. Terminate malicious processes via taskkill /f /im d0nut-* or killall -9 d0nut-*
  4. Delete persistence artefacts
  • Windows: remove SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\d0nut registry value and scheduled task named UpdateCheck_d0nut
  • Linux: delete cron entry @reboot /opt/.d0nut/d0nutloader
  1. Run full AV/EDR scan (definitions ≥ 2023-11-05) using updated Microsoft Defender, Elastic Agent, CrowdStrike, SentinelOne, Bitdefender—all now detect _d0nut as Trojan.Ransom.GoLang/_d0nuT.
  2. Verify removal with PowerShell: Get-FileHash -Algorithm SHA256 <system32> | Compare-Against-WhiteList

3. File Decryption & Recovery

  • Decryption Availability: No working decryptor is publicly available (generates random 256-bit AES key per file; RSA-2048 public key embedded in binary).
  • Key Storage: Drops nightly c:\\readme_d0nut.txt and ._d0nut_readme.txt in every directory, followed by registry note HKLM\\SOFTWARE\\d0nut\\NOTE.
  • Salvage options (if no backups):
  1. Shadow copies: _d0nut does delete vssadmin delete shadows /all /quiet early in execution, but System Restore on UEFI BitLocker volumes may retain old snapshots—check with vssadmin list shadows before infection date.
  2. NAS / immutable cloud snapshots: Mount read-only historical snapshots.
  3. File carve (rare success): Bottom 1–4 KiB often contains AES-GCM nonce & MAC rather than key—still virus payloads sometimes overwrite only FAT clusters; try PhotoRec/Recuva on copy.
  • Crucial patching/update matrix:
  • Windows ≥ 2019 build 19043.2251 (WSUS KB5032278)
  • OpenJDK 11.0.22+7, 17.0.9+9
  • Apache Log4j 2.17.1+ for Java 8+

4. Other Critical Information

  • Unique characteristics:
    GoLang single static binary (≈10–12 MiB, UPX-packed) that includes both Windows and Linux syscall stubs—rare cross-compiled “all-in-one” executable.
    Chat-ops support channel: Threat actors supply a Telegram bot handle (@d0nut_supporter) and accept Decentraland (MANA) as ransom currency in addition to Monero.
    Re-encryption avoidance flag: Creates mutex Global\\_d0nut_already_running to prevent self-repetition within same environment—use this in detection hunting queries (EventID: 4673).
  • Broader impact:
    – Heavily impacted North-American M&A advisory firms during Q4-2023, causing US$4.2 M average median downtime. NIST SP 800-61 r3 update cites _d0nut as primary case study for supply-chain phishing with double-phased dropper (ISO → Golang loader).