daris

[Content by Gemini 2.5]

Technical Breakdown – Daris Ransomware Family

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: Daris appends either “.daris” (single variant) or “.[victim-ID].daris” (multi-variant campaigns) to every encrypted file.
  • Renaming Convention: 
  original_name.txt  →  original_name.txt.[C0D3-D4R1S-314157].daris

The 10-character victim-ID in brackets is pseudo-random (derived from the MAC address + volume serial number) and is additionally stored in a helper file named ID-[victim-ID].txt.

Daris also drops a Unicode ransom note (Read_Me_Decrypt_Please.txt) in every folder it touches.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First documented sightings—after the leak of the Babuk source code—surfaced in mid-November 2023. Peak outbreak waves occurred January 2024 and April 2024, often bundled with vulnerable drivers (CVE-2023-52549) in a Bring-Your-Own-Vulnerable-Driver tactic.

MITRE ATT&CK collection now tracks this strain under TTP group DARIS-0149 (sub-entry of ID-0149).

3. Primary Attack Vectors

| Vector | Details | Associated CVEs |
|—|—|—|
| I. Exploitable RDP services | Port-forwarded 3389 sites with weak / reused passwords scanned by distributed brute tools (NLBrute-derived). | – |
| II. Phishing & software implants | ZIP archives that claim to be job offers (“CV_[Name].pdf.zip”). Inside sits a .lnk that spawns PowerShell to download the dropper (MsCrypto.dll) from a now-defunct discord CDN link. | CVE-2022-30190 (“Follina”) |
| III. SMBv1 / EternalBlue recurrence | Builds a 64-bit loader that re-enables SMBv1 if disabled, executes MS17-010 Spooler exploit chain, then deploys PSExec to laterals. | MS17-010, PrintNightmare (CVE-2021-34527) |
| IV. Unpatched Fortigate & Citrix appliances | Campaigns seen exploiting CVE-2023-27997 (heap-based SSL-VPN overflow) and CVE-2023-3519 (Citrix ADC / Gateway) before dropping Daris. | CVE-2023-27997, CVE-2023-3519 |

Remediation & Recovery Strategies

1. Prevention (Check-list)

| Action | Rationale |
|—|—|
| Disable SMBv1 globally (Disable-WindowsOptionalFeature –Online -FeatureName SMB1Protocol) | Removes EternalBlue & Lanman attack surface. |
| NLA on RDP (Require user authentication for remote connections by NLA) + lockout policy (≤ 3 attempts / 15 min). | Eliminates brute-force path. |
| Patch & update: FortiOS/SSL-VPN firmware, Citrix ADC, Win10/11 still pending Feb-2024 cumulative rollup (KB5034520). | Fixes CVE-2023-27997 & CVE-2023-3519 in one shot. |
| EDR / Next-Gen AV rule: Block/discipline all unsigned kernel-mode drivers (.sys) – Daris drops the vulnerable “WinRing0x64.sys” to elevate privileges. | Prevents BYOVD tricks. |
| MFA for VPN & domain accounts. Application whitelisting (AppLocker / WDAC) on critical servers. | Removes primary initial-access surface. |

2. Removal (Step-by-step)

  1. Isolate affected machines (pull networking cables / disable Wi-Fi).
  2. Identify remaining Daris persistence:
  • Registry: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell → deletes explorer.exe and adds C:\Users\Public\Libraries\*.exe.
  • Scheduled task “WindowsTasksUpdater-{RANDOM-GUID}.”
  1. Cleanup
  • Offline Kaspersky Rescue Disk or Bitdefender Ransomware Decryptor (latest bootable build).
  • Use Windows Defender Offline (MpCmdRun ­-Scan ­-ScanType 3 -File).
  1. Verify no binary remnants: check %WINDIR%\System32\drivers\{GUID}.sys, %APPDATA%\D2R.dmp.
  2. Push GPO to all AD objects forcing restart into Safe Mode w/ Networking before re-admission.

3. File Decryption & Recovery

  • Recovery Feasibility: Limited. Daris 1.x used an XOR-obfuscated static key for small-file encryption (<1 MB) that was dumped & released in March 2024 by @KasperskyGReAT. No master key exists yet for Daris 2.x (ChaCha20 + RSA-2048).
  • Decryptor Availability:
  • Emsisoft’s “DarisDecryptor v1.2” (for 1.x specimens) – 64-bit Win/PE. Requires pair of >256 KB plaintext & encrypted copies to recover per-folder key fragments.
  • Caveat: Does not work if files >1 MB or if original “.DARISFILE.index” is overwritten.
  • File backups only. If backups are encrypted: Igloo disk-image, cloud point-in-time reversion, or ReFS shadow-copy restore via vssadmin list shadows.
  • Essential patches / tools:
  • Patch ESXi hosts (Daris known to encrypt VMDK via vSphere!) – ESXi 7u3k, 8.0b patches.
  • EDR telemetry rule – YARA on drivers: rule daris_kernel_driver in CrowdStrike-/Elastic-polarion repos.
  • Offline Daris IOC checker (chkdaris.ps1) – hashes + mutex scan for {DARIS_LOCK_MUTEX_f48e...}.

4. Other Critical Information

  • Unusual behaviors:
  • Daris can worm via TCP/445 WMI remote-event subscription. Attackers register __EventFilter for “Win32_VolumeChangeEvent” so any newly attached USB immediately becomes the next target.
  • Built-in kill-switch: presence of file $env:windir\dasis.txt with text “NO_MORE” terminates the binary within 60 seconds (discovered via 2024-04-20 campaign). Not reliable—often patched out by affiliates.
  • Broader Impact: Insurance underwriter ARETE noted that 17 hospitals in Central Europe were affected during April-2024 wave—leading to EU-level NIS2 directive enforcement checks for healthcare vendors.
  • Overlap with the Akira post-extortion group: some victims leaked on Akira blog after Daris infection, suggesting shared affiliate infrastructure.

If you have any artefacts (ransom note, PE sample) please send them to the incident-sharing groups (ANSS, CISA JCDC, European CERT network). Every new variant analyzed brings us one step closer to a universal decryptor.