D0nut Ransomware Uses HTML Ransom Note

D0nut is a new strain of ransomware that was discovered in late November 2022.

The new variant is not a member of a bigger family of clones. The ransomware will encrypt your files and drop its ransom demands inside a HTML file.

Encrypted file types will include media files, documents, archives and databases. Windows files are left intact.

Once a file is encrypted, it receives the ".d0nut" extension. This will turn a file named "document.doc" into "document.doc.d0nut" upon successful encryption.

The lengthy ransom note is deposited inside a file called "d0nut.html" and reads as follows:

Microsoft Windows [Version 0.0.31337.0.0]

(c) Microsoft Corporation. All rights reserved.

C:\Users\Administrator> powershell Get-EventLog Security

C:\Users\Administrator> Error..

Not so long ago, we discovered a serious problem with your network and decided to help you. So what happened?

All files are encrypted with Integrated Encryption Scheme.

The file structure was not damaged. You have been assigned a unique identifier. After infection, you have 96 hours to declare decryption. After the expiration of 96 hours, decryption cost will be automatically increased.

Now you should send us message with your personal ID, which is at the bottom of the message.We hope that you understand the importance of the work we have done, if the vulnerability were found by someone else, it is possible that the consequences of the attack could be much more sensitive than the usual payment of money due to us for work.

Before paying you can send us 2 files for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information (databases, backups, large excel

Attention! If you want to RECOVER YOUR DATA without problems - NEVER reboot, disconnect hard drives or take any action unless you know WHAT YOU ARE DOING!!!

Otherwise, we cannot be 100% sure that the decryptor will work correctly.


If you will try to use any third party software for restoring your data or antivirus solutions - this can lead to complete damage to all files and their irrecoverable loss, since it will no longer be possible to restore them. Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.

your personal id: F3AA226DACCDA0EF

Username and password are identical to above. Since we are using SSL(https) encryption as well as .onion, the certificate is not properly signed, otherwise our server IP address would be visible to everyone. So in order to get into the chat, you need to confirm the insecure connection exception. Thank you for understanding.

You can download TOX here > hxxps://tox.chat/download.html

You can also write to the chat located in TOR network at:


You can download TOR browser here > hxxps://www.torproject.org/download/

our TOX below >:)


All the best and good mood, I hope you carefully read this message and already know what to do XDXD

November 24, 2022