BleepingComputer reports that double-extortion attacks launched by the Donut Leaks extortion group also involved ransomware deployment. Ransomware leveraged by Donut, also known as D0nut, has been observed by BleepingComputer to scan files for encryption, while avoiding files with certain strings. Files encrypted by the Donut ransomware will have the .donut extension appended. Meanwhile, Donut Leaks' ransom notes have been found to feature different ASCII art and masquerade as a command prompt displaying an error in PowerShell. Donut Leaks has applied significant obfuscation to the ransom notes in an effort to prevent detection. Moreover, Donut's data leak site also features a builder with a bash script. Attacks against multinational construction firm Sando, U.K. architectural company Sheppard Robson, and Greek natural gas firm DESFA have been associated with Donut Leaks, but subsequent claims by the Hive and Ragnar Locker ransomware groups on the Sando and DESFA attacks, respectively, suggest that Donut Leaks' operator is an affiliate for other operations.