The Donut Leaks Ransomware Gang's Attack on Void Interactive

The Donut Leaks ransomware gang claims to have successfully exfiltrated four terabytes of data from Void Interactive, the developer of the popular tactical shooter video game Ready or Not. On 14 March, the group declared on its dark net leak site that Voidinteractive.net had been pwned and that all data related to the developers would be shared if they did not contact the attackers. Donut Leaks claims to have 4T of source code and game-related data. The gang does not appear to be native English speakers and asked the company to contact them to receive more proof of exfiltrated files.

VOID Interactive is an Irish based global software development company that delivers digital content for the video game and personal entertainment industries. Its headline project, READY OR NOT, is a realistic, tactical First Person Shooter game set against a backdrop of political and economic instability.

Discovery of the Donut Leaks Extortion Group

Researchers first identified the Donut Leaks extortion group when an employee of one of the victims revealed that the corporate network had been breached by threat actors seeking to steal data. After successfully pilfering the data, the threat actors proceeded to email the victims' business partners and employees with URLs to their Tor extortion sites. These Tor sites consist of two components: a shaming blog and a data storage site. Visitors to these sites can freely browse and download all the stolen and leaked data.

The stolen data storage server operates using the File Browser application, enabling visitors to navigate through the stolen data categorized by victim. It remains unclear whether the threat actors deploy ransomware during their network breaches or if they solely operate as a data extortion group. However, Sheppard Robson, a victim, did disclose that their recent attack involved ransomware. Researchers also believe that Donut Leaks could be an offshoot of the Ragnar Locker and Hive ransomware gangs.