Remove Donut Virus (Hidden Tear Ransomware) – Restore .donut Files

Remove Donut Virus (Hidden Tear Ransomware) – Restore .donut Files

Donut Virus image ransomware note .donut extension

The Donut virus is a new descendant of the Hidden Tear ransomware family. Each individual attack can be configured so that it targets the targets specifically. Refer to our in-depth article for a technical analysis and full removal instructions.

Threat Summary

TypeRansomware, Cryptovirus
Short DescriptionThe ransomware encrypts sensitive information on your computer system with the .donut extensions and demands a ransom to be paid to allegedly recover them.
SymptomsThe ransomware will encrypt your files with a strong encryption algorithm.
Distribution MethodSpam Emails, Email Attachments
Detection Tool See If Your System Has Been Affected by Donut


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss Donut.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

Donut Virus – Distribution Ways

The Donut virus is a newly discovered virus threat that is being distributed against users worldwide in targeted campaigns. Depending on the targets themselves the hackers can use various strategies. A popular tactic relies on the fact that email messages are among the main carriers of social engineering tricks. This relies on the fact they spread the virus files either attached or hyperlinked in the body contents in some way. The criminals often model them based on common messages that are sent out to clients by popular Internet services. The contained elements can directly lead to the infections or the hackers can produce a link to a payload carrier. They are dangerous instances that lead to Donut virus infections and two of the most popular types are the following:

  • Infected Software Installers — The hackers can embed the virus code into application installers of various types. A typical strain is made by taking the legitimate application installers of famous software from their official vendor sites and modifying them with the virus samples. Examples include system utilities, creativity suites, productivity and office programs and even computer games.
  • Malicious Documents — In a similar way the computer hackers can embed the Donut virus code into various documents: rich text documents, spreadsheets and presentations. The most common method is to use macros that lead to the dangerous infections. Once the files are opened by the victims a notification prompt is spawned which asks the users to enable them. If this is done the scripts will automate the installation of the virus.

Another delivery tactic that can be used by the hackers is the use of browser hijackers. They are malicious web browser plugins that are usually spread on the relevant add-on repositories. They are advertised as useful additions to the web browser and are promoted using elaborate descriptions and false user reviews. One of the reasons why this is an effective way is that the plugins are made compatible with the most popular software: Mozilla Firefox, Google Chrome, Internet Explorer, Microsoft Edge, Safari and Opera. Once they are installed the default home page, search engine and new tabs page redirect the victims to a malicious off-site instance.

The creation of fake download pages and file sharing networks such as BitTorrent can also lead to numerous infections with the Donut virus.

Donut Virus – In-Depth Analysis

The Donut virus is a new instance of the Hidden Tear ransomware family. This is one of the most popular codebases that viruses are being made of. Its entirely open-source and this means that anybody can use it. Due to this fact at the moment the security experts cannot identify the hacker or criminal group behind it.

As it is based on Hidden Tear it uses the very same behavior patterns. The modular main engine can be customized to interact with various components that can be toggled on and off. This means that every attack can be specifically customized and personalized. Future versions of it can have marginally different effects on the computers.

Hidden Tear based infections like the Donut virus can begin with an information gathering component. It uses the built-in tools to harvest sensitive data from the infected host computer which is usually classified into two categories:

  • Personal Information — This type of data can be used to directly expose the identity of the users and/or their machines. The malicious engine is programmed to search for strings that specifically mention any information that is deemed valuable. An example is the victim’s name, address, telephone number, location, interests and passwords.
  • Campaign Metrics — They are gathered in order to assist the hackers into optimizing the attacks. The gathered information usually consists of a profile containing the full hardware information and certain values from the operating system.

The collected data can then be used by the engine to bypass any protective measures that may have been installed. This includes the likes of anti-virus programs, sandbox environments or virtual machine hosts. if such are found they can be entirely removed in certain configurations. Advanced versions of it can be configured to remove themselves if they are unable to complete this step.

The next change to the operating system is the manipulation of the Windows Registry. The virus itself can modify user-installed application entries which can disable certain functionality. If the operating system related entries are affected then overall performance can degrade.

Any Donut virus interactions that are related to persistence installation strategies is the manipulation of the boot options. The malicious engine removes the ability to enter into the recovery menu and makes the Donut virus to automatically start once the computer is powered on. The standard computer behavior is modified in order to make the virus able to manipulate even system processes.

The Donut virus can be configured to establish a network connection with a remote host. This is a hacker-controlled server that turns the infection into a powerful Trojan. It reports the harvested information and can spy on the users in real-time. Consequently it also allows the hackers to deploy additional viruses to the infected hosts.

The reported instances have been found to infect the temporary Windows folder and assume various names so that the users have no way of knowing where the engine is. It can also hookup to system processes which makes it hard to remove.

Donut Virus -Encryption

As soon as the ransomware component is started the familiar Hidden Tear infection tactics are executed. The Donut virus uses a built-in list of target file type extensions that is scanned by the engine. All user data that corresponds with it are encrypted with a powerful cipher(usually AES 256). An example list may include the following data types:

  • Archives
  • Documents
  • Backups
  • Images
  • Music
  • Videos

All affected data is renamed with the .donut extension. A lockscreen instance is then started which takes the form of an application window. This approach is preferred over the use of a standard text-based ransom note. It reads the following message:

All your files have been ENCRYPTED by DONUT Ransomware
Do you want to restore your files?
Your should buy DonutDecryptor.
Current Price $100.
For payment your need cryptocurrency BitCoin.
Write to our email – donutmmm
and tell us your unique ID and BitCoin transaction.
Your Uniq ID is: *****
BitCoin wallet is: 1MVB7wbeF1yLGRCUmVdgiDWMD7yR

Remove Donut Virus and Restore .donut Files

If your computer system got infected with the Donut ransomware virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.


Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.

More Posts - Website

Follow Me:
TwitterGoogle Plus

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share