DarkRace Ransomware: A Deep Dive into its Techniques and Impact

As cyber threats continue to evolve, a new ransomware has been discovered bearing unmistakable similarities to another well-known ransomware variant, Lockbit.

It is noteworthy to point out that Lockbit’s source code was leaked around a year ago, making it possible for other threat actors to potentially develop new variants based on this. Therefore, the discovery of this new ransomware, referred to as ‘DarkRace’ demonstrates how cybercriminals leverage existing resources to create their own malicious software.

In this blog analysis, we delve into the intricate details of this clever integration and bring to light the technical specifics involved, as well as the potential implications for unsuspecting victims.

Technical Analysis:

On initial execution, the DarkRace ransomware checks for the mutex name “CheckMutex.” In case it is not found, it creates a new one. This is used to avoid the reinfection.

Fig1: Checking the Existing Mutex Object

Fig2: Decrypted XML Format String

After creating the Mutex it decrypts the XML format string with XORing with hardcoded value.

The XML Format string contains the following,

• A List of Extension, Folders And files to be Whitelisted.
• Services and Processes to be killed.
• Calls to delete the shadow copy.
• Ransom Note and an ICO.

Fig3: Content for XML Format String

After decrypting the data, it deletes the shadow copies from the system, after which it retrieves the command from the decrypted data and executes it using the WinExec() API.

Fig4: Deleting the Shadow Copy

It then retrieves Services and Processes from the decrypted XML data with respect to XML tags as shown in the image below. This terminates processes and stops services.

Fig5: Retrieves Services from the XML Data

The services are then disabled using Windows Service Control Manager (SCM) API function. Further, it retrieves the names of the processes and proceeds to terminate them by using the ‘Taskkill’ command.

Fig6: Uses Taskkill to kill the Process

Encryption Process:

Firstly, it enumerates the drives and then passes the thread further for the whitelisted folder, files and ext. If the content passes all checks, it gets encrypted.

Fig7: Gets the Drives

Once the drives are obtained, they are enumerated based on their drive type. Subsequently, each drive is passed to a separate thread for further processing. The responsibility of this thread is to perform two checks:

1. File size
2. And file extension whitelisting

It checks if the file size is less than equal to 1 KB, and discards them from further encryption process as shown in the images given below.

Fig8: File Name and File Size Checks

Fig9: Checking for Whitelisted Files

Fig10: Checking for Whitelisted Extensions

After checking the whitelisted files, extension and checks on file size, it then passes to the Encryption. Here, it uses Salsa 20 for File Encryption.

Fig11: Encrypted Files with Extension ”1352FF327

Ransom Note:

Fig 12: Ransom Note

Post Encryption:

Upon successful encryption, DarkRace ransomware deletes event-logs, kills the tasks and deletes all the dropped files.

Fig13: Deleting the Event Logs

It uses the “taskkill” command, which is a Windows cmd-line tool that is used to terminate running processes. By using this command with the image name parameter, the ransomware forcefully terminates the process.

Fig14: Use of Taskkill

Fig15: Deleting the Files & Restarting the System

Finally, it deletes the bat-file, the executable and forcefully restarts the system. Deleting the bat file and executable is a common tactic employed by ransomware actors to remove its own traces and prevent analysis by security researchers.

Conclusion:

The integration of Lockbit’s techniques into DarkRace shows how cyber attackers are using proven methods to enhance their attacks and cause heightened damage. Such a combination of tactics could potentially lead to increased infections, compromised data and higher ransom demands. All this highlights the pressing need for robust cybersecurity measures, and the urgency of staying vigilant and proactive in the face of ever-evolving threats.

Tips to prevent such kinds of attacks

• Regularly update your operating system, applications, and software to fix any known vulnerabilities that are often exploited by ransomware.
• Use security software that can protect the system from the latest threats.
• Be cautious with email attachments especially from unknown senders. Avoid clicking on suspicious links or downloading files from untrusted sources.

Quick Heal Protection:

• DarkRace.S230221325

IOCs:

CB1C423268B1373BDE8A03F36F66B495

1933FED76A030529B141D032C0620117

Co-Author:

Soumen Burma

Vaibhav Billade