Threat Research

How FortiSandbox 5.0 Detects Dark 101 Ransomware Despite Evasion Techniques

Fortinet
How FortiSandbox 5.0 Detects Dark 101 Ransomware Despite Evasion Techniques

The Dark 101 ransomware, identified by FortiGuard Labs, encrypts user files while disabling recovery options and system tools to prevent remediation. It delivers ransom demands in Bitcoin using a dropped text file and evades detection by mimicking legitimate system processes. #Dark101 #FortiGuard #svchost.exe

Keypoints

  • Dark 101 ransomware is delivered as an obfuscated .NET binary targeting personal files for encryption.
  • It disables recovery by deleting Volume Shadow Copies and the Windows Backup catalog using vssadmin, wmic, and wbadmin commands.
  • The ransomware evades detection by copying itself to %Appdata% and renaming as svchost.exe, a legitimate Windows process name.
  • It modifies the Windows Registry key DisableTaskMgr to disable Task Manager, preventing user intervention.
  • Targets specific file extensions related to documents, images, archives, and databases for encryption, appending a random four-character extension.
  • Drops a ransom note named read_it.txt in encrypted directories demanding Bitcoin payment with victim contact information.
  • FortiSandbox detects the malware with detailed behavioral analysis and FortiGuard Antivirus identifies it as MSIL/Kryptik.SAC!tr.ransom.

MITRE Techniques

  • [T1490] Inhibit System Recovery – Executes vssadmin, wmic, and wbadmin commands to delete Volume Shadow Copies and backup catalog. (‘Execution of vssadmin and wmic commands to delete all Volume Shadow Copies’, ‘Execution of the wbadmin delete catalog command to remove the Windows Backup catalog’)
  • [T1543] Create or Modify System Process – Copies itself to %Appdata% and renames as svchost.exe to impersonate a critical system process. (‘Renamed svchost.exe process in %Appdata% flagged as high risk’)
  • [T1562.001] Impair Defenses: Disable or Modify Tools – Modifies registry key DisableTaskMgr to disable Task Manager. (‘Registry modification used to disable Task Manager by setting DisableTaskMgr to 1’)
  • [T1486] Data Encrypted for Impact – Encrypts files with selected extensions and appends random four-character extensions. (‘List of file extensions targeted by the Dark 101 ransomware for encryption’)
  • [T1204.002] User Execution: Malicious File – Delivered as an obfuscated .NET binary executed outside of typical temp folders after evading analysis environment checks. (‘SleepOutOfTempFolder function used for evasion’)

Indicators of Compromise

  • [File Hash] Malware binary – MD5 ae3dd3d1eedb6835e6746d51d9ab21c6
  • [Registry Key] Disables Task Manager – HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystemDisableTaskMgr = 1
  • [File Name] Malware and ransom note – %APPDATA%svchost.exe, read_it.txt
  • [Command Line] Anti-recovery commands – “Vssadmin delete shadows /all /quiet”, “Wmic shadowcopy delete”, “Wbadmin delete catalog –quiet”

Read more: https://feeds.fortinet.com/~/921639680/0/fortinet/blog/threat-research~How-FortiSandbox-Detects-Dark-Ransomware-Despite-Evasion-Techniques

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint