Cyble – Unmasking The Darkrace Ransomware Gang

MITRE Techniques

• [T1059] Command and Scripting Interpreter – Brief description: Darkrace uses batch files to terminate processes and orchestrate actions; Quote: “Darkrace ransomware exhibits several similarities to the LockBit ransomware, including the deployment of batch files to terminate processes, the dropping of file icons, and the utilization of random encryption extensions.”
• [T1083] File and Directory Discovery – Brief description: It enumerates system drives and stages files for encryption; Quote: “enumeration of system drives and file staging for encryption. To identify the drive and file staging, the ransomware uses GetLogicalDriveStringsW() and GetDriveTypeW().”
• [T1112] Modify Registry – Brief description: Creates a registry entry to set the dropped icon as the default icon for encrypted files; Quote: “registry entry which makes dropped icon as default icon for encrypted files.”
• [T1562] Impair Defenses – Brief description: Stops multiple services (databases, backups, and system functions) to improve encryption success; Quote: “stops several services on the infected system. These targeted services are primarily associated with databases, backups, and critical system functions.”
• [T1070] Indicator Removal – Brief description: Deletes shadow copies to hinder recovery; Quote: “deletes the shadow copies of the infected system.”
• [T1490] Inhibit System Recovery – Brief description: Uses commands to remove restore points/shadow copies; Quote: “the ransomware proceeds to delete the shadow copies using two distinct commands.”
• [T1486] Data Encrypted for Impact – Brief description: Encrypts files with AES and appends a new extension; Quote: “encrypts files using the AES encryption algorithm” and “appends the extension ‘.1352FF327’ to the original file extension.”