Remove Donut Virus (Hidden Tear Ransomware) – Restore .donut Files
THREAT REMOVAL

Remove Donut Virus (Hidden Tear Ransomware) – Restore .donut Files

OFFER

SCAN YOUR PC
with SpyHunter

Scan Your System for Malicious Files
Note! Your computer might be affected by Donut and other threats.
Threats such as Donut may be persistent on your system. They tend to re-appear if not fully deleted. A malware removal tool like SpyHunter will help you to remove malicious programs, saving you the time and the struggle of tracking down numerous malicious files.
SpyHunter’s scanner is free but the paid version is needed to remove the malware threats. Read SpyHunter’s EULA and Privacy Policy

Donut Virus image ransomware note .donut extension

The Donut virus is a new descendant of the Hidden Tear ransomware family. Each individual attack can be configured so that it targets the targets specifically. Refer to our in-depth article for a technical analysis and full removal instructions.

Threat Summary

NameDonut
TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts sensitive information on your computer system with the .donut extensions and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files with a strong encryption algorithm.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Donut

Download

Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Donut.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Donut Virus – Distribution Ways

The Donut virus is a newly discovered virus threat that is being distributed against users worldwide in targeted campaigns. Depending on the targets themselves the hackers can use various strategies. A popular tactic relies on the fact that email messages are among the main carriers of social engineering tricks. This relies on the fact they spread the virus files either attached or hyperlinked in the body contents in some way. The criminals often model them based on common messages that are sent out to clients by popular Internet services. The contained elements can directly lead to the infections or the hackers can produce a link to a payload carrier. They are dangerous instances that lead to Donut virus infections and two of the most popular types are the following:

  • Infected Software Installers — The hackers can embed the virus code into application installers of various types. A typical strain is made by taking the legitimate application installers of famous software from their official vendor sites and modifying them with the virus samples. Examples include system utilities, creativity suites, productivity and office programs and even computer games.
  • Malicious Documents — In a similar way the computer hackers can embed the Donut virus code into various documents: rich text documents, spreadsheets and presentations. The most common method is to use macros that lead to the dangerous infections. Once the files are opened by the victims a notification prompt is spawned which asks the users to enable them. If this is done the scripts will automate the installation of the virus.

Another delivery tactic that can be used by the hackers is the use of browser hijackers. They are malicious web browser plugins that are usually spread on the relevant add-on repositories. They are advertised as useful additions to the web browser and are promoted using elaborate descriptions and false user reviews. One of the reasons why this is an effective way is that the plugins are made compatible with the most popular software: Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge, Safari and Opera. Once they are installed the default home page, search engine and new tabs page redirect the victims to a malicious off-site instance.

The creation of fake download pages and file sharing networks such as BitTorrent can also lead to numerous infections with the Donut virus.

Donut Virus – In-Depth Analysis

The Donut virus is a new instance of the Hidden Tear ransomware family. This is one of the most popular codebases that viruses are being made of. Its entirely open-source and this means that anybody can use it. Due to this fact at the moment the security experts cannot identify the hacker or criminal group behind it.

As it is based on Hidden Tear it uses the very same behavior patterns. The modular main engine can be customized to interact with various components that can be toggled on and off. This means that every attack can be specifically customized and personalized. Future versions of it can have marginally different effects on the computers.

Hidden Tear based infections like the Donut virus can begin with an information gathering component. It uses the built-in tools to harvest sensitive data from the infected host computer which is usually classified into two categories:

  • Personal Information — This type of data can be used to directly expose the identity of the users and/or their machines. The malicious engine is programmed to search for strings that specifically mention any information that is deemed valuable. An example is the victim’s name, address, telephone number, location, interests and passwords.
  • Campaign Metrics — They are gathered in order to assist the hackers into optimizing the attacks. The gathered information usually consists of a profile containing the full hardware information and certain values from the operating system.

The collected data can then be used by the engine to bypass any protective measures that may have been installed. This includes the likes of anti-virus programs, sandbox environments or virtual machine hosts. if such are found they can be entirely removed in certain configurations. Advanced versions of it can be configured to remove themselves if they are unable to complete this step.

The next change to the operating system is the manipulation of the Windows Registry. The virus itself can modify user-installed application entries which can disable certain functionality. If the operating system related entries are affected then overall performance can degrade.

Any Donut virus interactions that are related to persistence installation strategies is the manipulation of the boot options. The malicious engine removes the ability to enter into the recovery menu and makes the Donut virus to automatically start once the computer is powered on. The standard computer behavior is modified in order to make the virus able to manipulate even system processes.

The Donut virus can be configured to establish a network connection with a remote host. This is a hacker-controlled server that turns the infection into a powerful Trojan. It reports the harvested information and can spy on the users in real-time. Consequently it also allows the hackers to deploy additional viruses to the infected hosts.

The reported instances have been found to infect the temporary Windows folder and assume various names so that the users have no way of knowing where the engine is. It can also hookup to system processes which makes it hard to remove.

Donut Virus -Encryption

As soon as the ransomware component is started the familiar Hidden Tear infection tactics are executed. The Donut virus uses a built-in list of target file type extensions that is scanned by the engine. All user data that corresponds with it are encrypted with a powerful cipher(usually AES 256). An example list may include the following data types:

  • Archives
  • Documents
  • Backups
  • Images
  • Music
  • Videos

All affected data is renamed with the .donut extension. A lockscreen instance is then started which takes the form of an application window. This approach is preferred over the use of a standard text-based ransom note. It reads the following message:

Hi.
All your files have been ENCRYPTED by DONUT Ransomware
Do you want to restore your files?
Your should buy DonutDecryptor.
Current Price $100.
For payment your need cryptocurrency BitCoin.
Write to our email – donutmmm @tutanota.com
and tell us your unique ID and BitCoin transaction.
Your Uniq ID is: *****
BitCoin wallet is: 1MVB7wbeF1yLGRCUmVdgiDWMD7yR

Remove Donut Virus and Restore .donut Files

If your computer system got infected with the Donut ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.

Note! Your computer system may be affected by Donut and other threats.
Scan Your PC with SpyHunter
SpyHunter is a powerful malware removal tool designed to help users with in-depth system security analysis, detection and removal of threats such as Donut.
Keep in mind, that SpyHunter’s scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware removal tool to remove the malware threats. Read our SpyHunter 5 review. Click on the corresponding links to check SpyHunter’s EULA, Privacy Policy and Threat Assessment Criteria.

To remove Donut follow these steps:

1. Boot Your PC In Safe Mode to isolate and remove Donut files and objects
2. Find files created by Donut on your PC

IMPORTANT!
Before starting the Automatic Removal below, please boot back into Normal mode, in case you are currently in Safe Mode.
This will enable you to install and use SpyHunter 5 successfully.

Use SpyHunter to scan for malware and unwanted programs

3. Scan for malware and unwanted programs with SpyHunter Anti-Malware Tool
4. Try to Restore files encrypted by Donut

Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...