A new data extortion group named ‘Donut Leaks’ is linked to recent cyberattacks, including those on Greek natural gas company DESFA, UK architectural firm Sheppard Robson, and multinational construction company Sando.
Two victims disclosed these attacks without much information regarding who was involved.
Over the weekend, DESFA confirmed they suffered a cyberattack after Ragnar Locker leaked screenshots of allegedly stolen data.
Earlier this month, Sheppard Robson disclosed a ransomware attack and an extortion attempt but did not provide details about who hacked its network.
Finally, Hive Ransomware claimed last month to have attacked Sando but only released a small archive of files as ‘proof’ of the attack.
Strangely, the data for these victims have now appeared on the data leak site for a previously unknown extortion gang known as Donut Leaks. Furthermore, the data shared on the Donut Leaks site is far more extensive than that shared on the ransomware sites, indicating that this new threat actor was involved in the attacks.
Who are Donut Leaks?
BleepingComputer first learned of the Donut Leaks extortion group from an employee of one of the victims, who told us that the threat actors breached the corporate network to steal data.
Once the threat actors finish stealing data, BleepingComputer was told they emailed URLs of their Tor extortion sites to the victim’s business partners and employees.
These Tor sites consist of a shaming blog and a data storage site that allows visitors to browse and download all of the stolen, leaked data.
The shaming blog currently contains entries for five victims, with all but one containing generic descriptions of the company and a link to their stolen data.
However, for one of the entries, the threat actors appeared to take a more aggressive approach, sharing stolen Christmas party photos and a lengthy rant against the company.
The stolen data storage server runs the File Browser application, which allows visitors to browse through all of the stolen data stored on the server, broken down by the victim.
While there are only five victims listed on the shaming site, the storage server contains what appears to be ten victims.
As you can see below, three victims are related to recent attacks disclosed by Sheppard Robson and DESFA, with Sando previously claimed by Hive. BleepingComputer has redacted the names of the other companies as they have not announced they suffered a cyberattack.
According to the File Browser stats, the threat actors have leaked approximately 2.8 TB of stolen data from these ten victims.
It is unknown whether the threat actors deploy ransomware when breaching networks or are simply a data extortion group.
However, Sheppard Robson did disclose that their recent attack was a ransomware attack.
“As is typical with a ransomware attack, the criminals contacted us for purposes of extortion,” disclosed Sheppard Robson.
“We have refused to pay any money to the attackers as per ICO and NCSC guidance and have reported the incident to the police.”
Furthermore, two different ransomware operations claimed responsibility for DESFA (Ragnar Locker) and SANDO (Hive).
This likely means that the threat actor running Donut Leaks is a pen tester or an affiliate for both Hive, Ragnar Locker, and possibly other ransomware operations.
In previous conversations with ‘pentesters’ for Ragnar Locker, the threat actors told us they work for multiple Ransomware-as-a-Service operations to provide affiliates access to internal networks. In some cases, these pentesters will steal the data and keep it for themselves if they feel that the data has value to it.
This new extortion group illustrates how stolen data is making it into the hands of multiple groups, with each trying its own methods to extort victims.
It also shows that paying a ransom demand may not always prevent your data from being leaked and could still lead to further extortion demands.