The Donut (D0nut) extortion group has been confirmed to deploy ransomware in double-extortion attacks on the enterprise.
BleepingComputer first reported on the Donut extortion group in August, linking them to attacks on Greek natural gas company DESFA, UK architectural firm Sheppard Robson, and multinational construction company Sando.
Strangely, the data for Sando and DESFA was also posted to several ransomware operations’ sites, with the Sando attack claimed by Hive ransomware and DESFA claimed by Ragnar Locker.
Unit 42 researcher Doel Santos also shared that the TOX ID used in ransom notes was seen in samples of the HelloXD ransomware.
This cross-posting of stolen data and affiliation leads us to believe the threat actor behind Donut Leaks is an affiliate for numerous operations, now trying to monetize the data in their own operation.