{"id":91915,"date":"2023-08-18T15:57:23","date_gmt":"2023-08-18T10:27:23","guid":{"rendered":"https:\/\/blogs.quickheal.com\/?p=91915"},"modified":"2023-08-18T16:46:11","modified_gmt":"2023-08-18T11:16:11","slug":"darkrace-ransomware-a-deep-dive-into-its-techniques-and-impact","status":"publish","type":"post","link":"https:\/\/www.quickheal.com\/blogs\/darkrace-ransomware-a-deep-dive-into-its-techniques-and-impact\/","title":{"rendered":"DarkRace Ransomware: A Deep Dive into its Techniques and Impact"},"content":{"rendered":"

As cyber threats continue to evolve, a new ransomware has been discovered bearing unmistakable similarities to another well-known ransomware variant, Lockbit.<\/p>\n

It is noteworthy to point out that Lockbit\u2019s source code was leaked around a year ago, making it possible for other threat actors to potentially develop new variants based on this. Therefore, the discovery of this new ransomware, referred to as ‘DarkRace’ demonstrates how cybercriminals leverage existing resources to create their own malicious software.<\/p>\n

In this blog analysis, we delve into the intricate details of this clever integration and bring to light the technical specifics involved, as well as the potential implications for unsuspecting victims.<\/p>\n

Technical Analysis:<\/strong><\/h2>\n

On initial execution, the DarkRace ransomware checks for the mutex name \u201cCheckMutex.\u201d In case it is not found, it creates a new one. This is used to avoid the reinfection.<\/p>\n

\"\"
Fig1: Checking the Existing Mutex Object<\/em><\/figcaption><\/figure>\n
\"\"
Fig2: Decrypted XML Format String<\/em><\/figcaption><\/figure>\n

After creating the Mutex it decrypts the XML format string with XORing with hardcoded value.<\/p>\n

The XML Format string contains the following,<\/p>\n

    \n
  • A List of Extension, Folders And files to be Whitelisted.<\/li>\n
  • Services and Processes to be killed.<\/li>\n
  • Calls to delete the shadow copy.<\/li>\n
  • Ransom Note and an ICO.<\/li>\n<\/ul>\n
    \"\"
    Fig3: Content for XML Format String<\/em><\/figcaption><\/figure>\n

    After decrypting the data, it deletes the shadow copies from the system, after which it retrieves the command from the decrypted data and executes it using the WinExec() API.<\/p>\n

    \"\"
    Fig4: Deleting the Shadow Copy<\/em><\/figcaption><\/figure>\n

    It then retrieves Services and Processes from the decrypted XML data with respect to XML tags as shown in the image below. This terminates processes and stops services.<\/p>\n

    \"\"
    Fig5: Retrieves Services from the XML Data<\/em><\/figcaption><\/figure>\n

    The services are then disabled using Windows Service Control Manager (SCM) API function. Further, it retrieves the names of the processes and proceeds to terminate them by using the ‘Taskkill’ command.<\/p>\n

    \"\"
    Fig6: Uses Taskkill to kill the Process<\/em><\/figcaption><\/figure>\n

    Encryption Process:<\/strong><\/p>\n

    Firstly, it enumerates the drives and then passes the thread further for the whitelisted folder, files and ext. If the content passes all checks, it gets encrypted.<\/p>\n

    \"\"
    Fig7: Gets the Drives<\/em><\/figcaption><\/figure>\n

    Once the drives are obtained, they are enumerated based on their drive type. Subsequently, each drive is passed to a separate thread for further processing. The responsibility of this thread is to perform two checks:<\/p>\n

      \n
    1. File size<\/li>\n
    2. And file extension whitelisting<\/li>\n<\/ol>\n

      It checks if the file size is less than equal to 1 KB, and discards them from further encryption process as shown in the images given below.<\/p>\n

      \"\"
      Fig8: File Name and File Size Checks<\/em><\/figcaption><\/figure>\n
      \"\"
      Fig9: Checking for Whitelisted Files<\/em><\/figcaption><\/figure>\n
      \"\"
      Fig10: Checking for Whitelisted Extensions<\/em><\/figcaption><\/figure>\n

      After checking the whitelisted files, extension and checks on file size, it then passes to the Encryption. Here, it uses Salsa 20 for File Encryption.<\/p>\n

      \"\"
      Fig11: Encrypted Files with Extension \u201d1352FF327<\/em><\/figcaption><\/figure>\n

      Ransom Note:<\/strong><\/p>\n

      \"\"
      Fig 12: Ransom Note<\/em><\/figcaption><\/figure>\n

      Post Encryption:<\/strong><\/p>\n

      Upon successful encryption, DarkRace ransomware deletes event-logs, kills the tasks and deletes all the dropped files.<\/p>\n

      \"\"
      Fig13: Deleting the Event Logs<\/em><\/figcaption><\/figure>\n

      It uses the “taskkill” command, which is a Windows cmd-line tool that is used to terminate running processes. By using this command with the image name parameter, the ransomware forcefully terminates the process.<\/p>\n

      \"\"
      Fig14: Use of Taskkill<\/figcaption><\/figure>\n
      \"\"
      Fig15: Deleting the Files & Restarting the System<\/em><\/figcaption><\/figure>\n

      Finally, it deletes the bat-file, the executable and forcefully restarts the system. Deleting the bat file and executable is a common tactic employed by ransomware actors to remove its own traces and prevent analysis by security researchers.<\/p>\n

      Conclusion:<\/strong><\/h2>\n

      The integration of Lockbit\u2019s techniques into DarkRace shows how cyber attackers are using proven methods to enhance their attacks and cause heightened damage. Such a combination of tactics could potentially lead to increased infections, compromised data and higher ransom demands. All this highlights the pressing need for robust cybersecurity measures, and the urgency of staying vigilant and proactive in the face of ever-evolving threats.<\/p>\n

      Tips to prevent such kinds of attacks <\/strong><\/h3>\n
        \n
      • Regularly update your operating system, applications, and software to fix any known vulnerabilities that are often exploited by ransomware.<\/li>\n
      • Use security software that can protect the system from the latest threats.<\/li>\n
      • Be cautious with email attachments especially from unknown senders. Avoid clicking on suspicious links or downloading files from untrusted sources.<\/li>\n<\/ul>\n

        Quick Heal Protection:<\/strong><\/h3>\n
          \n
        • DarkRace.S230221325<\/li>\n<\/ul>\n

          IOCs:<\/strong><\/h3>\n

          CB1C423268B1373BDE8A03F36F66B495<\/p>\n

          1933FED76A030529B141D032C0620117<\/p>\n

           <\/p>\n

          Co-Author:<\/strong><\/p>\n

          Soumen Burma<\/strong><\/p>\n

           <\/p>\n","protected":false},"excerpt":{"rendered":"

          As cyber threats continue to evolve, a new ransomware has been discovered bearing unmistakable similarities to another well-known ransomware variant, Lockbit. It is noteworthy to point out that Lockbit\u2019s source code was leaked around a year ago, making it possible for other threat actors to potentially develop new variants based on this. Therefore, the discovery […]<\/p>\n","protected":false},"author":60,"featured_media":91931,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1660,24,1495,599,1191,1],"tags":[1851,1982,1361,1315,1362,1994,1923,50],"class_list":["post-91915","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-advisory","category-malware","category-nransomware","category-tech-2","category-tech-terms","category-uncategorized","tag-cyberrisks","tag-ransomware-cybersecurity","tag-antivirus","tag-antivirus-software","tag-cybercrime","tag-darkrace","tag-quickheal","tag-ransomware"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/91915"}],"collection":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/users\/60"}],"replies":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/comments?post=91915"}],"version-history":[{"count":7,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/91915\/revisions"}],"predecessor-version":[{"id":91968,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/posts\/91915\/revisions\/91968"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media\/91931"}],"wp:attachment":[{"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/media?parent=91915"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/categories?post=91915"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.quickheal.com\/blogs\/wp-json\/wp\/v2\/tags?post=91915"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}