A new and highly sophisticated ransomware variant, known as Dark 101, has surfaced, showcasing advanced evasion techniques and destructive capabilities that pose significant risks to organizations globally. This malware employs an obfuscated .NET binary to execute a multi-stage attack, systematically dismantling system recovery mechanisms to maximize damage and ensure persistence.
Infection Chain and Execution
Dark 101 initiates its attack with environmental detection, assessing the execution environment to evade analysis tools. It introduces deliberate delays when operating outside expected directories, complicating detection efforts. The malware then copies itself into the %Appdata% folder, adopting the trusted filename svchost.exe to masquerade as a legitimate Windows system process. This tactic exploits user trust and security tool recognition patterns, as the genuine svchost.exe typically resides in C:\Windows\System32.
Disabling Recovery Mechanisms
One of Dark 101’s most destructive capabilities is its systematic elimination of recovery options through targeted system commands and registry modifications. It executes commands such as vssadmin delete shadows /all /quiet, wmic shadowcopy delete, and wbadmin delete catalog -quiet, effectively removing Volume Shadow copies and Windows Backup catalog entries. This action severs access to previous file versions and system image backups, hindering recovery efforts.
Simultaneously, the malware modifies the Windows Registry by setting the DisableTaskMgr value to 1 under the HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System key. This change prevents users from accessing Task Manager, obstructing their ability to terminate malicious processes or monitor system activity. This registry modification demonstrates the ransomware’s understanding of user behavior patterns and its commitment to maintaining persistence throughout the encryption process.
File Encryption and Ransom Demand
Dark 101 targets user-accessible directories containing personal and sensitive data while avoiding critical system files that could cause system instability. Upon initiating encryption, the malware appends randomly generated four-character extensions to affected files. It then deploys ransom notes named read_it.txt across impacted directories, demanding a payment of $1,500 in Bitcoin for file decryption.
Detection and Analysis
Fortinet analysts identified Dark 101 through comprehensive behavioral analysis using FortiSandbox 5.0, which successfully captured the malware’s complete attack sequence despite its sophisticated evasion techniques. The researchers documented how the ransomware attempts to detect analysis environments by checking execution location and introducing deliberate delays when running outside expected directories.
Implications and Recommendations
The emergence of Dark 101 underscores the evolving sophistication of ransomware threats. Its ability to disable recovery mechanisms and evade detection highlights the need for robust cybersecurity measures. Organizations are advised to implement comprehensive backup strategies, regularly update security protocols, and educate employees on recognizing potential threats to mitigate the risk posed by such advanced malware.
