BleepingComputer reports that double-extortion attacks launched by the Donut Leaks extortion group also involved ransomware deployment.
Ransomware leveraged by Donut, also known as D0nut, has been observed by BleepingComputer to scan files for encryption, while avoiding files with certain strings. Files encrypted by the Donut ransomware will have the .donut extension appended.
Meanwhile, Donut Leaks' ransom notes have been found to feature different ASCII art and masquerade as a command prompt displaying an error in PowerShell. Donut Leaks has applied significant obfuscation to the ransom notes in an effort to prevent detection. Moreover, Donut's data leak site also features a builder with a bash script.
Attacks against multinational construction firm Sando, U.K. architectural company Sheppard Robson, and Greek natural gas firm DESFA have been associated with Donut Leaks, but subsequent claims by the Hive and Ragnar Locker ransomware groups on the Sando and DESFA attacks, respectively, suggest that Donut Leaks' operator is an affiliate for other operations.
Malicious QR code messages have also been increasingly leveraged to compromise the sector, with Office 365 used to send over 15,000 of such messages to education entities, a Microsoft Threat Intelligence report showed.
While DumpForums claimed to have infiltrated the company's corporate GitLab server, mail server, and software management services, Dr. Web emphasized that the incident had not resulted in any customer data compromise.
Misconfigured Magento or OpenCart instances may have been targeted to facilitate the deployment of Mongolian Skimmer, which uses various event-handling methods to ensure extensive compatibility while hiding malicious activity with heavy Unicode character utilization.