Donut Ransomware

The family of file-encrypting malware is getting bigger and bigger by the day, and Donut Ransomware is the latest example discovered by our malware research team. This infection could attack Windows operating systems in different ways, but it looks like misleading spam emails are employed in most cases. Spam emails can be extremely misleading, and even the email address could be created in a way to confuse the target and trick them into thinking that the message is real. This message, of course, is created to trick you into opening the attached file, which is how the ransomware is executed. Due to this, we suggest deleting all spam emails sent by unfamiliar parties without even opening them. If you do open them, do not interact with links or attachments, and do not respond. If you are not capable of protecting your operating system against malware, you might find yourself worrying about the removal of Donut Ransomware. This threat must be erased, and we can help you with the process from start to end.

There are many ransomware infections, and new ones keep emerging every day. Some of the latest examples include Diskdoctor Ransomware, Scarab-Leen Ransomware, and RSA-4096 Ransomware. These threats might have differences in their interfaces or certain features, but they all require removal, and they all want your money. The malicious Donut Ransomware makes that clear using a file named “decrypt.txt,” which you should find in many different folders on your operating system. That is because this file is created in every location where encrypted files exist. When files are encrypted, the “.donut” extension is appended to their names. The version of this malware that was tested in our internal lab could corrupt 456 different types of files, and so if you do not remove Donut Ransomware in time, you can expect it to corrupt all kinds of image, document, and media files. There are some exceptions, of course. For example, the threat does not encrypt files named autorun.inf, boot.ini, bootsect.bak, desktop.ini, iconcache.db, ntuser.dat, ntuser.dat.log, or thumbs.db. It also does not encrypt data in directories whose names include such strings as ProgramData, Program Files, Program Files (x86), Windows, All Users, Local Settings, AppData, lulu, $RECYCLE, or System Volume Information. Unfortunately, if you have found that you need to delete the ransomware, most likely, your most sensitive files are encrypted.

Let’s get back to the “decrypt.txt” file. As mentioned already, this file represents the ransom demands. According to the note, the victims of Donut Ransomware need a tool called DonutDecryptor if they want to have their personal files decrypted. The price of the tool is 100 USD, and the request is to pay it in Bitcoins to the 1MVB7wbeF1yLGRCUmVdgiDWMD7yRspJX8C Bitcoin wallet. At the time of research, 5 transactions had been made to this wallet, and the total amount was 0.05635373 BTC. This converted to around 350 USD. The ransom note also includes an email address (donutmmm@tutanota.com) that victims are urged to email to confirm the transaction and receive a decryptor. Although the steps are pretty clear, and you might be willing to give up $100 to get your files back, you need to remember that you are dealing with cyber criminals. Our experience has shown that victims of ransomware do not get their files decrypted if they follow the demands of cyber criminals. Of course, this leaves you with no other option. That is why we hope your files are backed up, and you can remove Donut Ransomware without any hesitation or delay.

Donut Ransomware encrypts your personal files, introduces you to a ransom note, changes the wallpaper image, and displays an animation of a donut rolling through your Desktop. Without a doubt, it can be quite intimidating, and if you do not have your personal files backed up, you might choose to take the risk of paying the ransom. Our research team does not recommend that because, more likely than not, you would be wasting your money. In any case, you must delete Donut Ransomware, and you can do it manually or using an anti-malware program. The first option is suitable for more experienced users, but even they are advised to employ a legitimate anti-malware program. Why? Because this program is primarily built for the protection of the operating system. Needless to say, as long as it is protected, it will remain malware-free. To make sure that files cannot be harmed in the future, back them up externally or online.

Donut Ransomware Removal

1. Tap keys Ctrl+Alt+Delete and choose Start Task Manager.
2. Click the Processes tab and then find the {unique name} process that represents ransomware.
3. Right-click it, select Open File Location, and then go back to the Task Manager.
4. Select the process and click End process at the bottom.
5. Move to the location of the {unique name}.exe file, right-click it, and choose Delete.
6. Enter %TEMP% into the field at the top to access this directory.
7. Delete two files linked to the ransomware: {unique name}.exe and wallpaper.bmp.
8. Tap keys Win+R to launch RUN and then enter regedit.exe into the field to access Registry Editor.
9. Move to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
10. Delete the value named donut.exe (could be different) linked to the malicious file in step 7.
11. Find and Delete all copies of the ransom note file, decrypt.txt.
12. Empty Recycle Bin and then do not forget to install a trusted malware scanner to check for leftovers.