darkness

[Content by Gemini 2.5]

Ransomware Intelligence Report – “.darkness”

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: The ransomware appends “.darkness” to every encrypted file. Example: Annual_Report.xlsx → Annual_Report.xlsx.darkness
  • Renaming Convention:
  • Original filename remains untouched (only the suffix .darkness is added).
  • Files are NOT renamed into hexadecimal strings; full folder paths and names are preserved, making inventory quicker but backups critical.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: First samples observed in late November 2022, with major spikes via phishing campaigns in February and August 2023. Subsequent variants appeared sporadically through Q2-2024.

3. Primary Attack Vectors

  • Propagation Mechanisms:
  1. Phishing e-mails – Book-keeping, invoice, or tax-themed Office macros (.docm, .xlsm). Macros download a signed PowerShell loader that fetches the .darkness payload.
  2. RDP & SMB brute-force – Scans TCP/445, 3389 for weak credentials or prior compromise. Internally it re-uses Mimikatz output to escalate.
  3. Vulnerability Exploits – Known to exploit:
    • Log4Shell CVE-2021-44228
    • ProxyLogon CVE-2021-26855/26857
    • Confluence OGNL CVE-2022-26134
    • (Older misconfig) SMBv1 EternalBlue (MS17-010) only in pre-Jan-2023 samples.
  4. Malicious ads / cracked software – Fake game hacks and Adobe cracks on Discord & Telegram channels.
  5. Supply-chain side-loading – A few campaigns leveraged legitimate updaters dropping a rogue DLL that launches the payload.

Remediation & Recovery Strategies:

1. Prevention

  • Proactive Measures:
  • Patch all public-facing software (Exchange, Confluence, VPN appliances, Log4j2, Windows).
  • Disable or restrict RDP; use RDP Gateway + MFA, enforce NLA & IP allow-lists.
  • Harden SMB: remove SMBv1, enable SMB signing, and block port 445 egress.
  • Disable Office macros from the internet (Group Policy, or switch to “Block macros from running in Office files from the Internet”).
  • E-mail filtering: quarantine attachments containing macro-enabled files or base-64-encoded scripts.
  • Application allow-listing (Windows Defender ASR rules / WDAC / AppLocker).
  • Offline, immutable, daily backups (WORM, tape, or cloud + MFA + versioning).
  • Deploy endpoint detection & response (EDR) with behavioral rules that trigger on:
    • Large-scale file renaming with .darkness extension.
    • VSSAdmin shadow-copy deletion.
    • Execution of darkness.exe signed with stolen certs (SHA256: 0a9d4…).

2. Removal

  • Infection Cleanup (Kill-chain reversal):
  1. Isolate the host at the network level (VLAN quarantine or physical cable).
  2. Boot into Windows Safe Mode with Networking (or a live-rescue OS).
  3. Identify persistence:
    • Scheduled task: \Microsoft\Windows\UpdateOrchestrator\kernel_reminder
    • Registry Run keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\DarknessMain
  4. Terminate any remaining darkness.exe, lsassdump.exe, or powerShell.exe -enc … processes.
  5. Remove malicious files: %AppData%\Roaming\Microsoft\Windows\darkness.exe, %Temp%\pslaunch[random].ps1.
  6. Delete the scheduled task(s) and registry entries (backup registry first).
  7. Patch and reboot.
  8. Run a full AV/EDR scan to verify elimination.
  9. Investigate lateral movement (logs, RDP, SMB sessions) and reset domain passwords.

3. File Decryption & Recovery

  • Recovery Feasibility:
  • Official decryption has not been released (AES-256 + RSA-2048 key pairs generated per campaign).
  • Free decryptor MAY arrive only if reputable security researchers seize the master keys, as happened with CONTI and Babuk (not yet for .darkness).
  • Immediate action:
    • Check id.txt or README.darkness on infected systems—if the ransom note explicitly mentions a ‘Negotiation Trial’: some affiliates coerce you into a “test decryption” but do NOT give real keys.
    • Upload unused/backup email header from the ransom page to www.nomoreransom.org or upload one encrypted & one unencrypted pair to ID-Ransomware to track any tool release.
  • Essential Tools/Patches:
  • Patch bundle (EternalBlue): [MS17-010 Security Update]
  • Log4Shell fixes: [Apache Log4j 2.12.4 / 2.17.1]
  • NoDecrypt-v1.2 checker (validates if current .darkness build uses precomputed keys).
  • Offline backup restore utilities (e.g., Veeam SureBackup, Microsoft Azure Immutable Blob Storage).

4. Other Critical Information

  • Additional Precautions:
  • .darkness kills shadow copies (vssadmin delete shadows /all /quiet) and removes free-space snapshots (cipher /w:c:).
  • Known to exfiltrate credential stores (ntds.dit, SAM, Browser DB) via PowerShell-Invoke-WebRequest to attacker C2 (AWS S3 or Alibaba OSS).
  • The malware self-propagates via PsExec & WMIC to remote machines provided domain credentials are harvested.
  • Embedded anti-forensics: Clears Windows event logs IDs 4624 (logon), 4688 (process start) and replaces crash-dumps with junk data.
  • Broader Impact:
  • Manufacturing & logistics SMEs hardest hit – reported average downtime of 7–10 days when backups were absent.
  • Dual extortion variant posts victim data on a Tor leak site “publeaks[.]fail” after a 72-hour countdown.
  • Notable uptake by a mid-tier affiliate known as “BloodyTuesday,” who publishes spreadsheets of leaked data for competitive bidding.

Summary Checklist

| Action | Deadline | Owner |
|——————————-|———–|————|
| Validate backups offline | Today | CTO/SOC |
| Deploy MS January 2023 patch | 24 h | Patch mgmt |
| Force Office macro blocklist | 2 days | GPO team |
| Enable EDR rules “.darkness” | Now | SOC |
| Review RDP & VPN logs | 1 week | IR team |

Share this intel with peer networks. If a free decryptor becomes available, Nomoreransom.org will be the first to host it. Until then—patch aggressively and back up immutably.