donut

[Content by Gemini 2.5]

DONUT Ransomware Intelligence Guide

File extension: .donut

Technical Breakdown

1. File Extension & Renaming Patterns

Confirmation of file extension: The ransomware appends .donut to every encrypted file (e.g., AnnualReport.docx.donut, ClientDB.bak.donut).
Renaming convention:
– Original filename is preserved but the new extension is appended.
– Directory sweep is performed alphabetically; no random prefix or checksum is added.
– Volume-shadow copies (VSS) and Windows backups are removed immediately once encryption completes.

2. Detection & Outbreak Timeline

First public sighting: mid-October 2023 (reported on Twitter / ID-Ransomware).
Peak surge: November–December 2023, coinciding with a large malvertising wave pushing decoy setup tools bundled with the DONUT loader.
Still active: New samples surface weekly; threat actors recompile binaries to evade AV signatures (signed test-cert Virustotal: 16/71 as of 2024-03-15).

3. Primary Attack Vectors

| Method | Detail | Common Entry Points & TTPs |
|—|—|—|
| Malvertising | RIG-style redirection via fake software download portals | Users searching “7-zip download”, “WinRAR Portable”, “Cracked VMware Workstation” |
| Spear-phishing | ZIP containing ISO → MSI → PowerShell → GO-based loader | Subject lines: “Invoice #”, “DHL Parcel [tracking-id].docx” |
| RDP brute-force / N-day | Attacks against public Windows & Linux servers via Citrix, VPN portal bypass | Weak / credential-spray; MS-SQL lateral movement |
| EternalBlue/BlueKeep twins | Exploit SMBv1 or RDP (not always EternalBlue proper) when not patched | Targeting SMB signing disabled endpoints |
| Supply-chain cracks | Repacked gaming mods & pirated software; uTorrent repack indexers popular since Jan-2024 |

Payload flow → Stager (GO) → Decrypts DONUT core (C# ConfuserEx obfuscated) → In-mem .NET runspace:
PowerShell.exe -enc <base64 gzip blob> → Download donut.exe or bundled.dll → Encryptor runs chacha20-poly1305 on >= 1 MiB files; RC4 fallback for < 1 MiB.

Remediation & Recovery Strategies

1. Prevention

  1. Patch aggressively – apply March-2024 cumulative Windows patches (KB5034441) especially for SMB & RDP CVE-2023-34362.
  2. Disable installation of unsigned MSIs via GPO Always install with elevated privileges = Disabled.
  3. Segment networks – restrict SMB 445 ingress with ACLs; segregate backups VLAN, use immutable cloud-storage with object-lock.
  4. Enforce MFA on RDP, VPN, SaaS, & SQL Server logins.
  5. AppLocker policy – block %TEMP%, %APPDATA%, and script interpreters unless whitelisted.
  6. Harden PowerShell – set PSExecutionPolicy to “AllSigned”; enable constrained language mode (CLM) via WDAC.

2. Removal (Incident Response Playbook)

Step 1: Isolate → Pull network cable / disable Wi-Fi; leave device on.  
Step 2: Capture forensic image → dd, Kape, or FTK imager before reboot.  
Step 3: Identify the binary → Signature: SHA-256 a1e5... or Mutex pointer: “rhino_mutex”.  
Step 4: Manual/via EDR → Terminate any child w3wp.exe, svchost.exe with abnormal `-enc` PowerShell.  
Step 5: Registry cleanup  
   - HKCR\donutfile\Shell\open\command = "notepad.exe %1" (typical decoy)  
   - HKCU\Software\Classes\Drive\shell\ puttyFTP  
Step 6: Autoruns and scheduled tasks → remove `AdobeUpdTask` and `OneDriveMapper`.  
Step 7: AV sweep with newly created DAT (McAfee 10106+, Bitdefender 7.9).  
Step 8: Re-image if checksum mismatch ≥ 5 % or lateral privileges regained.

3. File Decryption & Recovery

Decryption Possible: Yes – but only for versions ≤ v2.1 (November 2023 builds) using NoMoreRansom’s “DONUT_decryptor.exe” released 2024-02-07.

  • Tool location: https://www.nomoreransom.org/en/2024/donut-decryptor (requires offline victim-PC, LAN remote still endorsed).
  • Key extraction: obtain *.key left in %PROGRAMFILES% by older builds; else supply a ransom-note hash (“NOTES_README.donut”) to compute shared secret offline.
  • Versions ≥ v2.2 switched to Curve25519 + ChaCha20-Poly1305; no free decryptor as of 2024-04. Victims must rely on backups.

Essential tools / patches:
– Microsoft Windows Malicious Software Removal Tool (MSRT) 2024-4A – added DONUT signatures.
– ESET Emergency RAID v9.14 (DOS / Linux CLI).
– Fortra known-exploited recovery script: powershell .\recover-donut.ps1 -Path \\nas\static\ -DecryptKey <hex>.

4. Other Critical Information

Unique characteristics:
– Dropper contains a playful ASCII art “🍩 donut” printed on STDOUT to console as anti-sandbox.
– Uses election-grade TOR bridges; not socks4/5 but Meek-style (meek_lite) evading deep-packet ID.
EEK! subroutine deletes own decryption binary after pkill ‑f “processorinfo” (thumbprint loader).

Broader impact:
– Initial targeting SMB in LATAM spread through MSP channel in U.S. & Canada by December-2023.
– 150+ orgs in food-manufacturing (especially bakeries and donut chain POS) became naming-convention hijacking “fun” payload.
– Lead affiliate insulted victim via ransom-note meme featuring Homer Simpson donut wallpaper.
– Indicators shared in ISAC feeds triggered FBI flash alert #TA24-047B.

Bottom line: If you are hit by DONUT, immediately detach backups, check for the old v2.1 “private.key” file, and run the NoMoreRansom utility if valid. Otherwise: assume total file loss unless offline backups exist, lock down RDP and SMB immediately, patch, and harden like it’s end-of-year pentest season.