Donut ransomware - How to remove

Donut virus is a ransomware that sneaks into your system unnoticed, encrypts the files with sophisticated cipher and asks for a cryptocurrency ransom in exchange for a decryptor. It was first reported by the malware researcher @siri_urz on Twitter this Saturday, June 9th, 2018.

Donut ransomware virus

While most of us associate donuts with a very pleasant experience, this type of Donut malware is nothing to be happy about. This ransomware is one of the most dangerous threats you can infect your computer with, because not only it is hard to remove, but the encrypted files can’t be always saved. However, our team will help you understand and fix the issues made by the malicious virus.

What are the characteristics of the Donut virus

Donut virus is an open-source Hidden based ransomware. That means that this malware is not as sophisticated as other unique viruses like CryptoLocker, GandCrab and etc, because it is only a customized copy of the published virus example, although it still can do a pretty bad damage.

Just like the other Hidden Tear ransomware variants (ScammerLocker, Sorry, Horros, Krypton) Donut uses symmetric AES cipher to encrypt the files, sends the encryption code to the crook’s server and drops the text file on the victims Desktop asking for a ransom. It targets personal files (photos, documents, music, videos, etc.) that are valuable for the user so they will be more likely to pay the hackers for the decryptor which is specific for every machine.

When the crypto demanding Donut virus is downloaded into the computer it firstly copies itself to the registry and overcomes the system protection so the further encryption could be executed without interruption and it would still stay on the operating system even after the system is restarted.

Once it makes itself comfortable in your Windows or Mac, it runs a scan in the background looking for files with .jpeg, .doc, .pdf, .mp3, .mp4 and similar extensions that indicate custom user files. Then the Donut ransomware encrypts these selected files with an AES algorithm and marks them with .donut extension. You can recognize compromised files because ‘picture.jpg’ becomes ‘picture.jpg.donut’.

Then the crooks’ Donut drops the message on the Desktop explaining what to do to get the locked files back. In this case, they ask for a $100 in Bitcoins (0,015BTC) sent to their virtual wallet. After the transaction, the victim is guided to send an email to the [email protected] with their specific code and to receive the decryption key in exchange.

The Donut virus displays this ransom note:

Hi.

All your files have been ENCRYPTED by DONUT Ransomware
Do you want to restore your files?
Your should buy DonutDecryptor.
Current Price is $100.
For payment your need cryptocurrency BitCoin.
Write to our email – [email protected]
and tell us your unique ID and BitCoin transaction.
Your Uniq ID is: xxxxxxxxxx
BitCoin wallet is: 1MVB7wbeF1yLGRCUmVdgiDWMD7yR

Even though the hackers are the only ones that know the decryption code, you should never pay them, because they can simply scam you by taking the money and not giving anything in return, later using same finances to develop even more persistent malware. Instead, report this cybercrime to the FBI’s Internet Crime Complaint Center on www.ic3.gov and follow our guide below on how to remove the Donut ransomware.

What’s the Donut ransomware distribution

At the moment Donut ransomware is recognized as a malevolent threat by 40 out of 68 antivirus programs (virustotal.com), however, Hidden Tear crypto-extortionists are actually hard to detect for the antivirus programs, because of the small file size and the variety, since the ransomware pattern is accessible for anyone publicly.

virus total scan ransomware donut

The main distributing files are named ‘donut.exe’ and ‘donut0806.exe’ which together with malicious email attachments spread across the virtual world. It is still not as massive as Locky which sent thousands of infected emails, but there have been quite a few victims so far in the US.

Other than the spam emails, Donut has an ability to distribute via exploits, malevolent advertisements, fake updates and bundled programs, together with other viruses, unprotected P2P networks and torrents and etc. What is important to know is that Donut ransomware only needs one click and it will compromise your machine so the prevention is crucial in this case.

How can you solve Donut malware infection

At the moment of writing there is no specific decryptor for the Donut ransomware locked files, but you can always check the updates for the new decryption tools on Kaspersky and Heimdal. Fortunately, there are other methods you can use to try recovering your system from the malicious threat.

The recovery should start with the removal of this sweet crypto-extortionist. That is necessary so the Donut virus would not reinfect the system again after the system/file recovery. This parasite already affected your PC’s security making it vulnerable to the other malware, so getting rid of it seems like the most sensible idea.

For the removal, we advise using anti-malware tools like Spyhunter, Malwarebytes or any other from the list. No matter if you already are using the antivirus, anti-malware is different and most effective for virus infections. Having an automatic tool saves you a lot of time since the software performs the full system scan of thousands of files, even in folders that are hard to access for the regular users.

Automatic Malware removal tools

Download Spyhunter for Malware detection
(Win)

Note: Spyhunter trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions,

Download Combo Cleaner for Malware detection
(Mac)

Note: Combo Cleaner trial provides detection of parasites and assists in their removal for free. limited trial available, Terms of use, Privacy Policy, Uninstall Instructions, Refund Policy ,

However, if you don’t feel like getting a new program, or you have problems downloading and installing it, you can try removing the Donut threat yourself. As for the encrypted files, we can’t guarantee anything but because the Donut ransomware is not the most malicious crypto-extortionist you might try recovering the personal data by restoring Volume Shadow Copies. Here is how.


How to recover Donut ransomware encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:


for Windows 7 / Vista/ XP
  • Start Shutdown RestartOK.
  • Press F8 key repeatedly until Advanced Boot Options window appears.
  • Choose Safe Mode with Command Prompt. Windows 7 enter safe mode

for Windows 8 / 10
  • Press Power at Windows login screen. Then press and hold Shift key and click Restart. Windows 8-10 restart to safe mode
  • Choose TroubleshootAdvanced OptionsStartup Settings and click Restart.
  • When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings. Windows 8-10 enter safe mode
 

2.Restore System files and settings.

  • When Command Prompt mode loads, enter cd restore and press Enter.
  • Then enter rstrui.exe and press Enter again.CMD commands
  • Click “Next” in the windows that appeared. Restore point img1
  • Select one of the Restore Points that are available before Donut ransomware has infiltrated to your system and then click “Next”. Restore point img2
  • To start System restore click “Yes”. Restore point img3
 

Step 2. Complete removal of Donut ransomware

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Donut ransomware. You can check other tools here.  

Step 3. Restore Donut ransomware affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Donut ransomware tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select PropertiesPrevious versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.
Previous version
b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.
Shadow explorer

Step 4. Use Data Recovery programs to recover Donut ransomware encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:
  • We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
  • Download a data recovery program.
  • Install and scan for recently deleted files. Data Recovery Pro
Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.
Leave a Reply

Your email address will not be published. Required fields are marked *