Researchers have described a new extortionist group, Donut Leaks (Don#t Leaks), which is somehow connected to the recent attacks on the Greek state company Desfa (the exclusive operator of the Greek national gas transmission system), the British architectural firm Sheppard Robson and the international construction company Sando.
The fact is that earlier the Ragnar Locker ransomware operators took responsibility for the attack on Desfa, and the Hive group was behind the attack on Sando, which has already published a small archive with files on its website on the darknet as “proof” of the hack.
And what about Donut Leaks? The publication Bleeping Computer says that the data stolen from the mentioned companies was published on the website of this previously unknown group. Moreover, the dumps published by Donut Leaks are more extensive than those posted on the Ragnar Locker and Hive sites. This means that the new group is also somehow involved in these attacks.
For the first time, journalists heard about Donut Leaks from an employee of one of the victim companies. The fact is that after hacking and stealing data, hackers sent the URLs of their extortionate resources to business partners and employees of the victim company. The links lead to a blog and a data storage portal that allows visitors to view and download all the information stolen from victims and leaked online.
The hackers’ blog currently lists five victims, with all but one providing a general description of the company and a link to the stolen data. At the same time, the journalists noticed that the server where the stolen data is stored contains information not about five, but about ten victims, from whom the hackers stole a total of 2.8 TB of data. Bleeping Computer does not disclose the names of other affected companies, as they have not yet reported cyberattacks.
It is not yet clear whether the members of Donut Leaks are using some kind of malware or are simply engaged in hacking and subsequent extortion. So how other hacking groups claimed responsibility for the compromise of Desfa and Sando, it is assumed that Donut Leaks are “pentesters” or partners of Hive, Ragnar Locker and probably other extortion groups.
Previously, Ragnar Locker “pentesters” have already told reporters that they cooperate with several RaaS at once, providing their partners with access to the internal networks of hacked companies and organizations. It seems that in some cases, pentesters themselves also steal data and keep it for themselves if they believe that the information can be of value.
Thus, information stolen from an affected company can fall into the hands of several hacker groups at once, each of which will try to use their own extortion methods and collect a ransom.