DonutLeaks Threat Group

The DonutLeaks threat group, also known as DONUT SPIDER or D#nut Ransomware Team, is a financially motivated cybercriminal entity classified as a Big Game Hunting (BGH) adversary. This group specializes in data extortion and has, in the past, operated a private Ransomware-as-a-Service (RaaS) affiliate program. They are known for developing and utilizing the HelloXD and D0nut (note the zero) ransomware families. Active on underground communities since at least 2021, DonutLeaks has evolved its tactics, shifting from ransomware deployment to a primary focus on data exfiltration and leakage. This shift reflects a broader trend in the cybercriminal landscape, where the risks and complexities of ransomware deployment are increasingly being weighed against the relative ease and profitability of pure data extortion.

Origins & Evolution

DonutLeaks emerged as a significant threat actor around August 2022, initially operating as an affiliate of established ransomware groups like Hive and Ragnar Locker. This initial phase involved leveraging existing ransomware infrastructure and tools. However, they soon transitioned to developing their own custom ransomware encryptor, resulting in files marked with the ".d0nut" extension. This indicated a desire for greater control and potentially higher profits.

In 2024, a significant shift occurred. DonutLeaks moved away from ransomware deployment and encryption, focusing solely on data theft and extortion. This strategic pivot could be attributed to several factors:

This evolution highlights the dynamic nature of the cybercriminal ecosystem, where threat actors constantly adapt to maximize their gains and minimize their risks. The group's presence on underground forums since 2021 demonstrates a consistent commitment to cybercrime, regardless of the specific methods employed.

Tactics & Techniques

DonutLeaks' modus operandi has evolved over time, showcasing a degree of adaptability and strategic thinking. Their tactics can be broken down into key stages:

* Phishing: Targeted spear-phishing emails with malicious attachments or links.

* Exploitation of Vulnerabilities: Targeting unpatched systems and known vulnerabilities, particularly in internet-facing applications like VPNs (as seen in the Lee Enterprises incident).

* Compromised Credentials: Using stolen or leaked credentials, often purchased on the dark web.

* Drive-by Downloads: Using compromised or attacker-controlled websites to deliver malicious payloads (as observed in attacks targeting Israeli entities).

* Credential Theft: Stealing credentials from compromised machines (as seen in the Silverfort customer attack).

* Exploitation of Weaknesses: Leveraging misconfigurations, shadow admin accounts, and unprotected service accounts (again, highlighted in the Silverfort incident).

* Remote Desktop Protocol (RDP): Using RDP to move laterally between systems.

* Customer data

* Financial records

* Intellectual property

* Internal communications

* Donut: A shellcode generation framework

* Sliver: A Cobalt Strike alternative, used as a final payload.

* Custom Nim Downloader Delivered via VHD files.

Targets or Victimology

DonutLeaks, particularly in its earlier ransomware-focused operations, exhibited characteristics of a "Big Game Hunting" adversary. This means they tend to target large organizations with the capacity to pay substantial ransoms. Their victimology includes:

* Healthcare: A frequent target due to the sensitive nature of patient data and the critical need for operational continuity. The surge of healthcare data breaches is alarming.

* Media: Organizations like Lee Enterprises, a major US newspaper publisher, are attractive due to their reliance on real-time operations, public trust, and the potential for significant reputational damage.

* Technology: As seen in the Silverfort incident, they are able to exploit technology.

* Other sectors: DESFA (Greek natural gas operator), Sheppard Robson (architectural firm), and Sando (construction company) have also been targeted, demonstrating a broad range.

* North America: The Lee Enterprises attack highlights their focus on US-based organizations.

* Many different countries around the world.

Attack Campaigns

Several notable incidents have been linked to DonutLeaks, showcasing their evolving tactics and impact:

Defenses

Protecting against DonutLeaks and similar data extortion groups requires a multi-layered security approach, focusing on prevention, detection, and response:

* Multi-Factor Authentication (MFA): Enforce MFA on all internet-facing systems, particularly VPNs, VDIs, and email accounts. This is crucial for preventing initial access via compromised credentials.

* Principle of Least Privilege: Restrict user access to only the data and systems necessary for their roles. This limits the impact of a potential compromise.

* Service Account Protection: Discover, monitor, and manage service accounts. Implement strict access controls and monitor for anomalous behavior.

* Shadow Admin Mitigation: Identify and review shadow admin accounts. Reduce unnecessary privileges or protect them with MFA.

* Regular Patching: Keep all systems and software up to date with the latest security patches. This is critical for preventing exploitation of known vulnerabilities.

* Vulnerability Scanning: Regularly scan for vulnerabilities in your network and applications. Learn how I assessed vulnerabilities.

* Network Segmentation: Divide your network into segments to limit lateral movement in case of a breach.

* Intrusion Detection/Prevention Systems (IDS/IPS): Deploy and maintain IDS/IPS to detect and block malicious network activity.

* Firewall Configuration: Ensure firewalls are properly configured to block unauthorized access.

* Endpoint Detection and Response (EDR): Deploy EDR solutions to monitor endpoint activity and detect malicious behavior.

* Antivirus/Anti-malware: Use reputable antivirus/anti-malware software and keep it up to date.

* Data Loss Prevention (DLP): Implement DLP solutions to monitor and prevent sensitive data from leaving your network.

* Data Backup and Recovery: Maintain regular, offline backups of critical data. This is essential for recovery in case of data loss or encryption (even though DonutLeaks primarily focuses on extortion, having backups is still a best practice).

* Phishing Awareness: Train employees to recognize and report phishing emails. This is a crucial defense against one of the most common initial access vectors. Consider using phishing simulation.

* Social Engineering Awareness: Educate employees about social engineering tactics and how to avoid being manipulated.

* Develop and Test an Incident Response Plan: Have a plan in place to respond to security incidents quickly and effectively.

* Threat Intelligence: Leverage threat intelligence feeds to stay informed about the latest threats and TTPs used by groups like DonutLeaks.

* SIEM Monitoring: Configure SIEM to pick up on any denied MFA attempts. You can use a SIEM for monitoring.

Conclusion

The DonutLeaks threat group represents a significant and evolving threat in the cybercriminal landscape. Their shift from ransomware deployment to pure data extortion demonstrates the adaptability of these groups and the need for organizations to adopt a proactive and multi-layered security approach. By focusing on strong access controls, vulnerability management, network security, data security, and security awareness training, organizations can significantly reduce their risk of falling victim to DonutLeaks and similar threat actors. Staying informed about the latest TTPs and leveraging threat intelligence is crucial for maintaining a robust security posture in the face of this ever-changing threat. One way to achieve that is with security logging.

Found this article interesting? Keep visit thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive tips like this. 

You may also like these articles: