Can we have that to go? Incompetence as a defence. And getting an “F” in speedy notification. This Week In Ransomware for the week ending November 27th, 2022

Can we have that to go? Incompetence as a defence. And getting an “F” in speedy notification. This Week In Ransomware for the week ending November 27th, 2022

Would two attacks be a “double-double?”

A new and somewhat creative ransomware group called “Donut” has been reportedly mounting “double extortion” attacks. For anyone not familiar with the term, double extortion refers to both the encryption and theft of data, and normally involves a threat to release the stolen data if the ransom is not paid.

Security blog Bleeping Computer reported that the group’s customized ransomware is now spreading through a variety of sites, including freeware and third-party software sites, peer to peer networks, and other typical sites for dissemination of malware.

The Donut ransomware appends the “.donut” extension as it encrypts files. Something like “picture.jpg” is renamed “picture.jpg.donut.”

Donut also changes the desktop wallpaper, opens a pop-up window, and generates a text file (“decrypt.txt”), that it places in each existing folder after encrypting data. The notes are encoded and later decrypted in the victim’s browser using JavaScript, which helps avoid detection.

As befitting ransomware named after a fast food, the ransom is modest by traditional standards. It’s been reported that one hundred dollars in bitcoin Is the cost of the decryption software.

Incompetence as a cybersecurity defence?

It is not supposed to work this way, nor do we recommend it, but this story was simply too strange to pass by.

Low cost Malaysian airline AirAsia fell victim to a ransomware attack in early November, according to, a site that uses the tagline “The Office of Inadequate Security.”

DataBreaches received two .csv files from a group identified as the” Daixin Team.” AirAsia Group reportedly also received these files. The first file had information with the names of passengers. The second file had employee information including name, date of birth, country of birth, location, date employment started, and their “secret question.”

The Daixin Team posted that although they stole some data and encrypted some files, they did not interfere with any files that might be related to air traffic or other operational matters.

What makes the attack more remarkable is that the attackers further reported that they didn’t do as much damage as they might normally do, not out of compassion, but out of frustration. Apparently the lack of organization in the company’s file systems made them simply give up.

The article in Data Breaches posted this quote from the attackers:

“The chaotic organization of the network, the absence of any standards, caused the irritation of the group and a complete unwillingness to repeat the attack.

… The group refused to pick through the garbage for a long time. As our pentester said, “Let the newcomers sort this trash, they have a lot of time.”

This may be the first occurrence where incompetence was noted as a workable cybersecurity defence.

In the same article, Data Breaches notes that they approached the company for further information but did not receive a reply.  Somehow, that is the least surprising part of the story.

Getting an “F” for speedy reporting?

The Ontario Secondary School Teachers Federation (OSSTF) announced last week that an unauthorized third party had accessed and encrypted some of the union’s systems just prior to May 30th of this year.

Although the breach was detected in May, and members were notified of an attack, it is only last week that the members were notified that their data had been stolen. Apparently, it took several months for the forensic examination to confirm the theft of the information.

Despite the length of the investigation, according to the report in IT World Canada, the federation’s media and communications representative couldn’t say how many of its members are being notified, nor how many IT systems were encrypted by the attacker.

Also, under the heading of “better late than never,” the union issued a statement saying that it had no evidence at this time the personal data of any of its 60,000 members has been misused but it may, in some cases, offer certain individuals credit monitoring and identity theft protection services for a year at the OSSTF’s expense.

Leave a Reply