As cyber threats continue to evolve, a new ransomware has been discovered bearing unmistakable similarities to another well-known ransomware variant, Lockbit.
It is noteworthy to point out that Lockbit’s source code was leaked around a year ago, making it possible for other threat actors to potentially develop new variants based on this. Therefore, the discovery of this new ransomware, referred to as ‘DarkRace’ demonstrates how cybercriminals leverage existing resources to create their own malicious software.
In this blog analysis, we delve into the intricate details of this clever integration and bring to light the technical specifics involved, as well as the potential implications for unsuspecting victims.
On initial execution, the DarkRace ransomware checks for the mutex name “CheckMutex.” In case it is not found, it creates a new one. This is used to avoid the reinfection.
After creating the Mutex it decrypts the XML format string with XORing with hardcoded value.
The XML Format string contains the following,
After decrypting the data, it deletes the shadow copies from the system, after which it retrieves the command from the decrypted data and executes it using the WinExec() API.
It then retrieves Services and Processes from the decrypted XML data with respect to XML tags as shown in the image below. This terminates processes and stops services.
The services are then disabled using Windows Service Control Manager (SCM) API function. Further, it retrieves the names of the processes and proceeds to terminate them by using the ‘Taskkill’ command.
Firstly, it enumerates the drives and then passes the thread further for the whitelisted folder, files and ext. If the content passes all checks, it gets encrypted.
Once the drives are obtained, they are enumerated based on their drive type. Subsequently, each drive is passed to a separate thread for further processing. The responsibility of this thread is to perform two checks:
It checks if the file size is less than equal to 1 KB, and discards them from further encryption process as shown in the images given below.
After checking the whitelisted files, extension and checks on file size, it then passes to the Encryption. Here, it uses Salsa 20 for File Encryption.
Upon successful encryption, DarkRace ransomware deletes event-logs, kills the tasks and deletes all the dropped files.
It uses the “taskkill” command, which is a Windows cmd-line tool that is used to terminate running processes. By using this command with the image name parameter, the ransomware forcefully terminates the process.
Finally, it deletes the bat-file, the executable and forcefully restarts the system. Deleting the bat file and executable is a common tactic employed by ransomware actors to remove its own traces and prevent analysis by security researchers.
The integration of Lockbit’s techniques into DarkRace shows how cyber attackers are using proven methods to enhance their attacks and cause heightened damage. Such a combination of tactics could potentially lead to increased infections, compromised data and higher ransom demands. All this highlights the pressing need for robust cybersecurity measures, and the urgency of staying vigilant and proactive in the face of ever-evolving threats.