New Ransomware Holds Similarities with LockBit Ransomware
Ransomware continues to pose the most critical cybersecurity threat to organizations’ infrastructure. This malicious software encrypts victims’ files and extorts payment in return for the decryption key. The consequences of ransomware attacks can be severe, including financial losses, data compromise, and reputational damage.
Cyble Research and Intelligence Labs (CRIL) has recently discovered a new ransomware named Darkrace which has similarities with Lockbit Ransomware.
In September 2022, an individual claiming to be a disgruntled developer, released the builder source code of LockBit 3.0. According to reports, this developer was dissatisfied with the leadership within the ransomware group and decided to make the private data public. This incident dealt a significant blow to the ransomware group, as the leaked code provided the means for anyone to create their own ransomware kit, complete with an encryptor, decryptor, and specialized tools for launching the ransomware.
Darkrace specifically targets Windows operating systems. Darkrace ransomware exhibits several similarities to the LockBit ransomware, including the deployment of batch files to terminate processes, the dropping of file icons, and the utilization of random encryption extensions.
The Darkrace ransomware gang seems to be in the early stages of its operations, as their data leak website only listed two victims until Friday. However, the threat actors (TAs) have since taken down the leak site.
The image below illustrates the appearance of the Darkrace ransomware’s leak site.
The leak site of Darkrace ransomware not only features leaked data but also includes a contact page for communication with the TAs. This contact page provides the Tox id of the TAs, allowing for direct communication.
The Figure below shows the contact page of Darkrace Ransomware.
Technical Analysis
The Darkrace ransomware executable is a 32-bit GUI-based Microsoft Visual C/C++ application identified by its SHA256 hash value, 0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4.
The figure below provides a comprehensive overview of the Darkrace ransomware executable.
During the execution process, Darkrace ransomware employs a mutex which prevents the reinfection of the victim. The mutex is named “CheckMutex” and is hardcoded directly into the binary, as shown in the following figure.
Upon the successful creation of the mutex, the ransomware proceeds to load a list of whitelisted files and file extensions that will be excluded from the encryption process. This whitelist data is hardcoded within the malware executable, presented in the form of an XML string format. It includes two key elements: “white_exten” for whitelisted file extensions and “white_files” for whitelisted files.
The figure below shows the hardcoded XML string.
A considerable number of file extensions are intentionally excluded from encryption, leading to faster data encryption due to the exclusion of a significant portion of data. Furthermore, the ransomware employs a precautionary measure by not encrypting critical system files, thereby mitigating the risk of unnecessary damage to the victim’s system.
The table below lists file extensions that are exempted from the encryption process.
| 386 | adv | ani | bat | bin | cab | cmd | com | cpl | cur |
| deskthemepack | diagcab | diagcfg | diagpkg | dll | drv | exe | hlp | icl | icns |
| ico | ics | idx | lnk | mod | mpa | msc | msp | Msstyles | msu |
| deskthemepack | nomedia | ocx | prf | ps1 | rom | rtp | scr | shs | spl |
| search-ms | pdb | msi | hta | key | lock | wpx | nls | theme | sys |
The table provided below displays the list of files that will be excluded from encryption.
| bootmgr | autorun.inf | boot.ini | bootfont.bin |
| bootsect.bak | desktop.ini | concache.db | ntldr |
| ntuser.dat | ntuser.dat.log | ntuser.ini | thumbs.db |
| GDIPFONTCACHEV1.DAT | d3d9caps.dat | ||
Once the ransomware has excluded specific file extensions and important files from encryption, it proceeds to invoke the functions AllocateAndInitializeSid() and CheckTokenMembership(). These functions are used to determine if the current thread’s impersonation token belongs to the Administrators group. The code snippet below illustrates the implementation group membership check within the executable process.
If the process belongs to the Administrator group, the malware proceeds to utilize the function WoW64DisableWow64FsRedirection() in conjunction with GetProcAddress(). This approach allows the malware to dynamically disable the default redirection to 64-bit function calls in 64-bit operating systems. The code snippet below illustrates the implementation of the redirection disabling mechanism.
Following disabling the redirection, Darkrace ransomware proceeds to delete the shadow copies of the infected system. To achieve this, the ransomware employs two distinct commands, which are executed using the WinExec() API. The following commands are executed by the ransomware in order to delete the shadow copies:
- “cmd /c \”wmic shadowcopy delete /nointeractive”
- “cmd /c \”vssadmin Delete Shadows /All /Quiet”
The figure below shows the ransomware trying to delete shadow copies
Subsequent to removing the shadow copies from the system, Darkrace proceeds to perform additional actions. First, it generates a random file extension, “.1352FF327”, which is appended to the encrypted files. Additionally, it drops an icon file named “icon.ico” in the “C:\ProgramData” directory. Furthermore, the ransomware creates a registry entry which makes dropped icon as default icon for encrypted files. The figure below shows code for dropping the icon file and registry entries.
Next to dropping the file icon and associating it with the encrypted files, the ransomware takes further steps to ensure data removal. It permanently deletes data from the recycle bin using the SHEmptyRecycleBinA() API. Deletion of data from recycle bin impairs the data recovery.
The figure below depicts the API to clean recycle bin.
The ransomware proceeds to prepare the files for encryption after deleting the files from recycle bin. To optimize the encryption process and prevent potential interference, Darkrace ransomware stops several services on the infected system. These targeted services are primarily associated with databases, backups, and critical system functions. By stopping these services, ransomware ensures smoother encryption and avoids files getting locked.
The figure below illustrates the assembly code responsible for terminating the specified service.
All the services targeted by the ransomware are mentioned in the table below:
| vss | sql | svc | memtas |
| mepocs | msexchange | sophos | veeam |
| backup | GxVss | GxBlr | GxFWD |
| GxCVD | GxCIMgr | vmicvss | vmvss |
After this, the ransomware creates a new thread which generates a batch file named “1.bat” at the location “C:\ProgramData”. This batch file is then executed in a continuous loop. Inside the batch file, a ping command is included to ping the local IP address “127.0.0.1”, and a taskkill command is used to terminate various processes.
The figure below depicts the routine responsible for creating and executing the “1.bat” file.
Processes killed by the batch file are mentioned in the table below:
| Sql* | Oracle* | Mysq* | chrome* |
| veeam* | firefox* | excel* | msaccess* |
| onenote* | outlook* | powerpnt* | winword* |
| wuauclt* | |||
Termination of the processes is followed by the enumeration of system drives and file staging for encryption. For identifying the drive and file staging, the ransomware uses GetLogicalDriveStringsW() and GetDriveTypeW() functions as shown below.
Upon staging the logical drives, the ransomware proceeds to carry out two actions: dropping a ransom note in specific folders and encrypting files using the AES encryption algorithm. To mark the encrypted files, the ransomware appends the extension “.1352FF327” to the original file extension.
The figure below depicts the encrypted files, showcasing the modified file extensions.
The ransom note left behind by the Darkrace ransomware includes an OnionMail email address and a link to the leak site operated by the ransomware group. These contact details serve as a means for victims to initiate negotiations with the TAs regarding the ransom payment.
The figure below shows the ransom note dropped by the Darkrace ransomware.
When the encryption of targeted data is complete, the Darkrace ransomware takes additional steps to cover its tracks. It clears the event logs, terminates its own running processes, deletes its executable file, as well as the C:\ProgramData\1.bat file. Furthermore, the ransomware initiates a system reboot to prevent any further execution of its files. These post-encryption activities aim to minimize the visibility of the ransomware and make it more difficult for detection.
The figure below illustrates the code responsible for carrying out these post-encryption actions.
Conclusion
Darkrace Ransomware shares multiple similarities with notorious LockBit ransomware and focuses on targeting businesses, employing a dual-pronged approach to maximize their leverage. Apart from encrypting the victim’s files, the attackers employ a double-extortion strategy by exfiltrating sensitive data and leveraging the threat of its release on their onion leak site to compel payment of the ransom. The analysis indicates that Darkrace exhibits a high level of targeting, leading to speculation that the TAs may possess prior knowledge of their intended targets.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Safety Measures Needed to Prevent Ransomware Attacks
- Conduct regular backup practices and keep those backups offline or in a separate network
- Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic
- Use a reputed anti-virus and Internet security software package on your connected devices, including PC, laptop, and mobile
- Refrain from opening untrusted links and email attachments without verifying their authenticity
Users Should Take the Following Steps After the Ransomware Attack
- Detach infected devices on the same network
- Disconnect external storage devices if connected
- Inspect system logs for suspicious events
Impact of Ransomware
- Loss of valuable data
- Loss of the organization’s reputation and integrity
- Loss of the organization’s sensitive business information
- Disruption in organization operation
- Financial loss
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Execution | T1059 T1204 | Command and Scripting Interpreter User Execution |
| Discovery | T1083 | File and Directory Discovery |
| Defense Evasion | T1070 T1562 | Indicator Removal Impair Defenses |
| Impact | T1486 T1490 | Data encrypted for impact Inhibit System Recovery |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 1933fed76a030529b141d032c0620117 c55c60a23f5110e0b45fc02a09c4a64d3094809a 0e60d49a967599fab179f8c885d91db25016be996d66a4e00cbb197e5085efa4 | MD5 SHA1 SHA256 | Darkrace Ransomware |
| cb1c423268b1373bde8a03f36f66b495 892cd69f889b25cb8dc11b0ac75c330b6329e937 74b5e2d90daaf96657e4d3d800bb20bf189bb2cf487479ea0facaf6182e0d1d3 | MD5 SHA1 SHA256 | Darkrace Ransomware |
| 4a4d03743fd3a7ee1d03d89d0e3b8011 127d72408c87d866c72331fb0f16d13fef6a92ec 2b15e09b98bc2835a4430c4560d3f5b25011141c9efa4331f66e9a707e2a23c0 | MD5 SHA1 SHA256 | 1.bat Batch file |
