Threat Research

DarkRace Ransomware: A Deep Dive into its Techniques and Impact

Securonix

DarkRace is a newly observed ransomware variant that mirrors LockBit’s techniques, illustrating how threat actors repurpose leaked source code to craft new threats. It operates by leveraging a mutex, decrypting an XML configuration, killing services/processes, deleting shadow copies, encrypting files with Salsa20, and leaving a ransom note before cleaning up traces. #DarkRace #LockBit

Keypoints

  • DarkRace closely resembles LockBit, illustrating how leaked source code can seed new variants.
  • On execution, it checks for a mutex named “CheckMutex” and creates one if absent to prevent reinfection.
  • It decrypts an XML-format string (encrypted with XOR) that lists whitelisted files/folders, services/processes to kill, shadow-copy deletion, and a ransom note.
  • Post-decryption, it deletes shadow copies and uses the decrypted data to execute commands via the WinExec() API.
  • It terminates specified services and processes (via SCM API and Taskkill) before encryption.
  • During encryption, it enumerates drives, filters targets by size and extension, and uses Salsa20 to encrypt non-whitelisted files.
  • After encryption, it deletes event logs, dropped files, and restarts the system, leaving a ransom note.

MITRE Techniques

  • [T1106] Native API – Uses Windows API (WinExec) to run commands. “executes it using the WinExec() API”
  • [T1027] Obfuscated/Compressed Files and Information – Decrypts the XML format string with XORing; “decrypts the XML format string with XORing with hardcoded value”
  • [T1486] Data Encrypted for Impact – Encrypts files after whitelisting; “uses Salsa 20 for File Encryption”
  • [T1490] Inhibit System Recovery – Deletes shadow copies; “Calls to delete the shadow copy.”
  • [T1562.001] Impair Defenses: Disable or Modify Security Tools – Terminates processes and stops services; “terminates processes and stops services.”
  • [T1070.004] File Deletion – Deletes event logs and dropped files; “deletes the event-logs” and “deletes all the dropped files.”
  • [T1027] Additional note: XOR-based decryption of configuration data used to guide actions; “decrypts … with XORing”

Indicators of Compromise

  • [File Hash] CB1C423268B1373BDE8A03F36F66B495 – IOc listed in article
  • [File Hash] 1933FED76A030529B141D032C0620117 – IOc listed in article

Read more: https://blogs.quickheal.com/darkrace-ransomware-a-deep-dive-into-its-techniques-and-impact/