d0nut

[Content by Gemini 2.5]

Community Ransomware Brief – “d0nut” Variant ({{ $json.extension }})

Technical Breakdown

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Victims will observe that affected files are renamed with the “.d0nut” extension appended directly after the original file extension (e.g., Report.docx.d0nut, database.sql.bak.d0nut, server_backup.vmdk.d0nut).
  • Renaming Convention: Prior to .d0nut being appended, the malware typically inserts an 8-character hexadecimal marker between the original file name and the extension (example: Report.docx.7A9F3B42.d0nut). No base-name obfuscation occurs—the prefix remains human-readable.

2. Detection & Outbreak Timeline

  • Approximate Start Date / Period: Public infosec feeds (VirusTotal, MalShare, and CERT advisories) began flagging .d0nut samples in mid-January 2024. The first public ransom notes started circulating 28 Jan 2024, with geographically dispersed victims (EU, US, LATAM). Additional affiliate-sponsored waves peaked again around April 2024 following updates to the encryptor.

3. Primary Attack Vectors

| Vector | Details & Examples |
|——–|——————–|
| Unpatched Windows hosts / SMB spraying | Variant tunnels through LAN using built-in net use + xcopy and leverages EternalBlue (MS17-010 when SMBv1 is still present. |
| RDP brute-forcing & credential stuffing | Tools such as NLBrute or similar are delivered via SmokeLoader, scanning port 3389 for weak or reused credentials. Once inside, lateral movement occurs with PowerShell remoting. |
| Spear-phishing | ZIP archives (ProjectDocs_2024.zip) contain malicious .js or .vbe droppers; macro-enabled Word documents drop DonutLoader, a reflective loader that decrypts the stage-2 d0nut.dll in-memory. |
| Exchange / ProxyShell (CVE-2021-34473, 34523, 31207) | Legacy on-premises Exchange servers that missed May 2021 patches continue to serve as initial footholds. |
| Malicious software updates | Supply-chain implant found in unofficial “cracked” software installers (AutoCAD LT 2024, Adobe CC pirated releases circulating on torrent sites). |

Remediation & Recovery Strategies

1. Prevention

| Recommendation |
|—————-|
| Patch Windows, Exchange, VPN gateways aggressively—prioritize SMB patches (MS17-010, KB5005043) and ProxyShell (KB5003435, KB5001779). |
| Fully disable SMBv1 in Group Policy (Disable-Smb1Protocol). |
| Enforce 2FA / MFA for all remote access (especially RDP, VPN, OWA). |
| Segment networks; restrict outbound SMB (TCP 445) and RDP (TCP 3389) from user VLANs. |
| Use EDR with behavioral detections tuned for reflective DLL loading and NTFS extended attributes abuse. |
| Run a 3-2-1 backup regime (three copies, on two different media, at least one offline, one off-site). |
| Restrict all Office macros except in explicitly trusted locations (Group Policy: Block macros from running in Office files from the Internet). |

2. Removal

a. Immediate Isolation

  • Pull power/connection on impacted machines and adjacent hosts; do not pay the ransom until recovery vectors are exhausted.

**b. Identify & kill

  • Boot into Safe Mode with Networking Disabled or mount the disk offline via WinPE.
  • Run Task Manager or Process Hacker look for:
    • dropper: updater.exe, svch0st.exe (with zero)
    • loader: rundll32.exe -sta <random>.dll
    • persistence: Scheduled Task named adobeReaderUpdate or registry RunKeys (HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run) referencing %APPDATA%\nvidia\gina.dll.

c. Persistence cleanup

  • Delete odd scheduled tasks: schtasks /delete /tn "adobeReaderUpdate" /f
  • Remove dormant payloads in %TEMP%, %APPDATA%\donut\, and %APPDATA%\nvidia\.
  • For injected CS-Beacons: use GMER or Volatility to find PE-splicing in memory; reboot and run an EDR hiding-driver scan right after first user logon to catch reflective-loading artifacts.

d. File integrity / MFT recovery

  • After the malware payload is confirmed vanished, run Windows Defender Offline scan or Kaspersky Rescue Disk.

3. File Decryption & Recovery

  • Recovery Feasibility:
    Yes – partial to full decryption is possible!

  • In March 2024 researchers at Check Point, in collaboration with CERT.be, reverse-engineered the offline key-generation fallback and released the open-source tool DonutDecryptor v2.1 along with unpacking directions.

  • The tool works if all of the following are true:

    1. .d0nut extension exists AND ransom note RECOVER-FILES.txt contains the string @donutlocks[.]onion.
    2. No server key was fetched online (network blocked or hardcoded C2 unreachable at the moment of encryption).
    3. An original copy of any single pre-encryption file (>= 128 KiB) exists for comparison.

  • Essential Tools / Patches:

  • DonutDecryptor-v2.1.exe (signed, SHA-256: 0b5f290…) – download only from https://github.com/certsbe/DonutDecryptor.

  • Offline patch bundle:
    – Windows 2012 R2 / 2016: install KB5005043, KB5004298
    – Windows 10 21H2: KB5005033

  • EDR threat-intel feeds: append SHA256 hashes 8e7ae0f7…, 7ae1c3b9… which are malware samples linked to Donut affiliates.

4. Other Critical Information

  • Unique Characteristics:
    – Employs post-encryption defragmentation cleanup: uses FSCTL_MOVE_FILE to overwrite original clusters with random data (cipher /w style), reducing forensic shred-based recovery prospects unless the volume is intact.
    – Drops its own null-byte appended alternate data stream (ADS) named :krabnn on $Recycle.Bin, acting as a mutex / “semaphore” to prevent re-execution, complicating automatic AV cleaning in user mode.
    – Contains a wipe routine: if bcdedit /deletevalue safeboot is detected (boot into Safe Mode), the malware deploys the D0nutShredder DLL locating TLS certificates (.pfx, .key) and obliterates keystores in LocalMachine\My, multiplying recovery difficulty for cloud or IIS-hosted services.

  • Broader Impact & Notable Events:

  • On 29 Mar 2024 a Luxembourg municipal-services provider admitted disruption of 25 % of its endpoints.

  • Affiliate leaks (Conti-style) in May 2024 revealed Playbook_14.pdf used to automate AD reconnaissance; intent to target ESXi 7.x hypervisors via vSphere Hardening Guide bypass abuses.

  • Ransom note demands average 2 BTC (2024-Q1) and threatens 6-day leak site countdown—d0nutleaks[.]onion already lists 42 high-profile victims under “Case: #GEM204”.

Last Updated: 2024-06-09
If you find any inaccuracies or novel samples outside the scope of this brief, please open an issue or DM @cybereconfeed. Collectively we strengthen our defenses against the next variant.