Donut Ransomware

The Donut Ransomware is a file-locking Trojan that keeps your media, such as documents, encrypted for demanding ransoms. This threat, which bases itself off of Hidden Tear, may be incomplete, but malware experts are confirming its data-locking attacks, as well as elements of its ransoming pop-ups, as being functional. Either free decryption software or remote backups can recover any media, and most anti-malware programs should delete the Donut Ransomware immediately.

The Sweet that Turns Bitter for Those Indulging

Threat actors are testing another modification of Utku Sen's Hidden Tear project, which provides flexible, Windows-based code for encrypting media on a PC automatically. While not all components of the Donut Ransomware are demonstrating themselves as finalized, the Trojan does use a working encryption routine, an accompanying, extension-based way of flagging the files that it captures, and creates pop-ups that it can use for displaying its ransom or blocking the user interface. Although early samples of the Donut Ransomware are Russia-based, its demands are in English, and malware experts are noting no obvious addition of any geographical, victim-sorting filters.

The Donut Ransomware's encryption, like that of most of the other variants of Hidden Tear, uses an AES cipher as its basis for encoding and 'locking' different types of files automatically. The standardized data filters for Trojans of the Donut Ransomware's family target Word and PDF documents, Excel spreadsheets, JPG, BMP, GIF pictures especially, and other media in common use in both recreational and workplace environments. Malware experts recommend searching for any files with the '.donut' extension (for instance: 'hummingbird.gif.donut') for finding out what media types the Trojan is blocking.

The Donut Ransomware's payload also includes a currently-unused 2D graphic of a donut and an English-language pop-up window with its threat actor's instructions for the decryptor. The text's grammatical errors point to its author not being a native speaker, and additional formatting issues (such as the sentences clipping the edges of the message window) also imply that the Donut Ransomware isn't ready for release into the wild. Unfortunately, as with most file-locker Trojans, the Donut Ransomware's incompleteness doesn't hamper its data-locking routine.

Keeping a Donut from Taking a Bite Out of You

The Donut Ransomware's installer is an unsigned, Windows executable that offers limited information on how its threat actor could go about circulating it. Campaigns for locking files illicitly and ransoming them often use e-mail attachments as primary infection vectors, and malware experts find document-embedded exploits, such as malicious macros, and fake extensions (such as 'example.exe.doc') guilty of facilitating such attacks routinely. In addition to such partially-consensual downloads, the victims also may be at risk from RDP-based hacking efforts, which are endemic to industries like the energy sector and medical businesses, and often take advantage of unsafe network passwords.

Due to Hidden Tear's limited cryptography security and the public-source nature of its code, many members of this family of Trojans are decryptable without paying the threat actors. Although malware researchers have yet to confirm whether the Donut Ransomware is compatible with current, public file-unlocking tools, victims always should contact an appropriate cyber-security experiment for their decryption help before taking any drastic steps like paying non-refundable Bitcoin ransoms. A robust majority of anti-malware programs to date are deleting the Donut Ransomware on sight, like almost all other releases of Hidden Tear.

There's nothing sweet about Trojans taking advantage of PC owners without any backups, but Hidden Tear makes the production of threats like the Donut Ransomware into quick and easy tasks. Windows owners not wanting to see more Trojans like this one should be using portable or network-based storage solutions and keeping their Bitcoins to themselves.