Donut Ransomware

What is Donut Ransomware?

If you do not want to put your personal files at risk, Donut Ransomware is an infection you need to keep away from your operating system. Any careless click could let this malware in, which is why you need to be most cautious. For example, you should forget about interacting with spam emails. If you are not smart about it, you could let in all kinds of malware, including other well-known file-encrypting threats, such as Danger Ransomware, Scarab-Leen Ransomware, Autismlocker Ransomware, or BansomQare Manna Ransomware. If you are interested, all of these – and many others – infections have been reviewed by our Anti-Spyware-101.com research team. Once the infection slithers in silently, it immediately scans your operating system and encrypts files. Although the threat evades all system files, as well as some specific files (“autorun.inf,” “boot.ini,” “bootsect.bak,” “desktop.ini,” “iconcache.db,” “ntuser.dat,” “ntuser.dat.log,” and “thumbs.db”) regardless of their location, it does not ignore what we call “personal files.” You can save them only if you delete Donut Ransomware in time, and, unfortunately, it is most likely that you have found this removal guide because your personal files got encrypted already.

How does Donut Ransomware work?

When Donut Ransomware slithers in, it uses an encryption key either carried along with it or downloaded separately to corrupt data. The encryption of files ensures that the owners of these files cannot read them, and there is nothing that can be done about it. Even legitimate file decryptors cannot aid in this situation. Once the encryption process is complete, the infection changes the wallpaper to introduce the victim to a ransom note. The ransomware also executes an animation of a donut continuously rolling through the screen. Needless to say, this is where the name of the infection comes from. The word “donut” is also attached to the files that get encrypted. So, for example, if you have a personal file named “graduation.doc,” after encryption, it will be named “graduation.doc.donut.” If you are thinking about removing the added extension, we have to warn you that that is not something that will help you recover personal files. Unfortunately, it seems that the only option you’ve got is the one offered by the malicious ransomware via its ransom note, and it is not an option we recommend taking seriously.

The ransom note by Donut Ransomware is delivered in three different ways. First, the wallpaper is changed. Next, a window entitled “Oooops” is launched. Finally, you have a file named “decrypt.txt,” which you will find in multiple folders across your operating system. The message is the same in every case, and it is meant to convince you that you need to purchase DonutDecryptor. The ransom note reads: “All your files have been ENCRYPTED by DONUT Ransomware. Do you want to restore your files? Your should buy DonutDecryptor.” Needless to say, the message was not written by someone skilled in English. You can disable the donut animation, close the ransom note window, replace the desktop wallpaper, and delete all copies of the TXT file, but you might hesitate to do this if the ransom note appears to offer a real solution. This solution is to pay 100 USD in Bitcoins to obtain DonutDecryptor. It is stated that if you transfer the money to 1MVB7wbeF1yLGRCUmVdgiDWMD7yRspJX8C (Bitcoin wallet address) and email donutmmm@tutanota.com to confirm the payment, the decryptor would be sent back to you. If you choose to trust cyber criminals, you are on your own, as we will not be able to help you get your money back. What we can help you with is the removal of the infection.

How to delete Donut Ransomware

Whether or not your files are safe in backups, you need to remove Donut Ransomware ASAP. This malware is controlled by cyber criminals, and who knows what kind of mess they could create if you give them the chance. So, how do you initiate the removal process? First, you need to think if you have experience with the elimination of malware and if you are capable of identifying the elements of the infection. If you cannot do that, manual removal might not be suitable for you. Luckily, the right anti-malware program can take care of the infection regardless of your level of expertise. The best part is that it can also ensure reliable protection against malware in the future! Without a doubt, installing anti-malware software is what we recommend.

Removal Instructions

1. Tap Ctrl+Shift+Esc and click the Processes tab.
2. Right-click the malicious process of the ransomware and then select Open File Location.
3. Kill the malicious ransomware process and then Delete the malicious .exe file.
4. Enter %TEMP% into Explorer’s bar (to open Explorer, tap Win+E keys).
5. Delete {random name}.exe and wallpaper.bmp files.
6. Launch RUN (tap Win+R keys) and then enter regedit.exe to launch Registry Editor.
7. Move to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
8. Delete the value called donut.exe (its value data should point to the malicious {random name}.exe file).
9. Empty Recycle Bin and then quickly install a legitimate malware scanner to run a full scan. Download Removal Tool100% FREE spyware scan and
   tested removal of Donut Ransomware*