Donut Leaks attacks UnitedLex

Incident Date:

July 9, 2023

World map



Donut Leaks attacks UnitedLex






Overland Park, USA

Kansas, USA

First Reported

July 9, 2023

Donut Leaks Ransomware Gang Attacks UnitedLex

The Donut Leaks ransomware gang has attacked UnitedLex. UnitedLex is a legal data analytics and management solutions provider headquartered in Kansas, USA. Donut Leaks posted UnitedLex to its data leak site on April 4th, claiming to have stolen 400GB of data and threatening to publish it should the company fail to pay a $600,000 ransom. UnitedLex refused to comply, and Donut Leaks published 200GB of stolen data.

Identification of Donut Leaks

Researchers first identified the Donut Leaks extortion group when an employee of one of the victims revealed that the corporate network had been breached by threat actors seeking to steal data. After successfully pilfering the data, the threat actors proceeded to email the victims' business partners and employees with URLs to their Tor extortion sites.

Operation of Tor Extortion Sites

These Tor sites consist of two components: a shaming blog and a data storage site. Visitors to these sites can freely browse and download all the stolen and leaked data. The stolen data storage server operates using the File Browser application, enabling visitors to navigate through the stolen data categorized by victim.

Uncertainty Around Ransomware Deployment

It remains unclear whether the threat actors deploy ransomware during their network breaches or if they solely operate as a data extortion group. However, Sheppard Robson, a victim, did disclose that their recent attack involved ransomware. Researchers also believe that Donut Leaks could be an offshoot of the Ragnar Locker and Hive ransomware gangs.

Recent Ransomware Attacks

The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.

The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.