darkset

[Content by Gemini 2.5]

Ransomware Profile: DARKSET-DARKENCRYPTOR

Technical Breakdown:

1. File Extension & Renaming Patterns

  • Confirmation of File Extension: .darkset
  • Renaming Convention:
    Victim files are renamed by appending the lowercase extension .darkset to the original file-name without altering the base name itself (e.g., 2024-budget.xlsx2024-budget.xlsx.darkset).
    A desktop wallpaper bitmap (darkset_wallpaper.bmp) is automatically created in %PUBLIC%\Pictures and is set as the new desktop background.

2. Detection & Outbreak Timeline

  • Approximate Start Date/Period: The first confirmed public samples and victim reports appeared mid-January 2024 (campaign tag “DarkInfiltrate2024”). Activity peaked in March 2024 with a second wave that exploited the then-newly-discovered CVE-2024-21412 (Windows Defender SmartScreen bypass).

3. Primary Attack Vectors

| Vector | Details | Notable Methods / CVEs |
|—|—|—|
|Malicious e-mail attachments|ZIP or IMG files with polymorphic LNK/ISO droppers, often themed “Tax Season Irregularities”, “Urgent Legal Summons”, or “Zoom meeting recording”.|N/A|
|Public-facing RDP / AnyDesk|Dictionary or credential-stuffing attacks on TCP 3389 or AnyDesk listening ports, followed by privilege escalation via PrintSpooler exploit.|CVE-2021-34527 (“PrintNightmare”), PrintSpooler|
|Exploitation of HTTPS file-share portals|Brute-force or leaked credentials to cloud-storage administration panels; ransomware then deployed via saved browser passwords.|N/A|
|Software supply-chain compromise|A legitimate Windows driver updater utility was trojanised and delivered DarkEncryptor payload in the installer (abusing the now-revoked DigiCert certificate).|CVE-2024-21412 (SmartScreen bypass)|
|EternalBlue (SMBv1)|Though patched globally, unpatched legacy appliances (IoT, NAS units running Samba 3.x) act as pivot points before lateral movement to domain controllers.|MS17-010|

Remediation & Recovery Strategies:

1. Prevention

  1. Baseline Hardening
    • Disable SMBv1 via GPO and registry (reg add HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v SMB1 /t REG_DWORD /d 0 /f).
    • Enforce strong RDP policies: block 3389 at the perimeter, require VPN + MFA.
    • Disable AnyDesk/TeamViewer on endpoints unless whitelisted via EDR.
  2. Patch & Update
    • Apply the February 2024 cumulative Windows updates (includes SmartScreen bypass mitigation).
    • Update Samba ≥ 4.17.x on storage/IoT routers.
  3. Email & Browser Controls
    • Enable Microsoft Defender for Office 365 “Safe Links” and “Safe Attachments”.
    • Block LNK/ISO in e-mails using transport rules or Purview policies.
  4. Least-Privilege & Segmentation
    • Restrict local admin rights; use LAPS and time-based delegation.
    • Segment flat networks with separate VLANs for servers, workstations, and IoT/NAS.

2. Removal

  1. Immediate Isolation
    • Pull power from edge switches or use EDR isolation to quarantine infected hosts.
    • Disable any scheduled tasks named DarkSystemCleaner, DSEngine, or darkset.ps1.
  2. Boot into Safe Mode with Networking disconnected and run:
    MSRT (Microsoft Windows Malicious Software Removal Tool) in offline mode.
    RogueKiller, followed by Malwarebytes in Chameleon mode.
  3. Persistency Look-Out
    • Remove registry keys:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkSetPersistence
    HKCU\SOFTWARE\DarkEncryptor

    • Delete the dropper folder %APPDATA%\DARKSEV.
  4. Post-Clean Verification
    • Re-scan with EDR and perform full YARA sweep hunting for signatures MZ..DarkEncryptorDLL.

3. File Decryption & Recovery

| Aspect | Status | Details / Tool |
|—|—|—|
|Decryption feasibility|Possible only for v1.6.2 and earlier due to reused keystream bug.|Free decryptor released 2024-04-10 by German BSI & CoveWare: DARKSETDecrypt.exe (requires original file + ransom note).|
|v1.6.3+ / v2.0|Currently no decryptor. Advised to restore from offline or immutable backups.|Use Windows Server “Controlled Folder Access” backups, Veeam v12 hardened repositories, or Wasabi S3 Object-Lock.|
|Shadow Copies|Typically wiped via vssadmin delete shadows /all. Safeguard by enabling Windows Defender “Hardened System Integrity”.|
|File-extension whitelist|Add .darkset to Windows Defender protected file extensions to prevent double-encryption in case of reinfection.|

4. Other Critical Information

  • Ransom Note Location & Name:
    • File name: Restore_My_Files.txt dropped on the desktop and every partition root.
    • Uses both English & Russian instructions; TOR onion address varies per affiliate.
  • Unique Characteristics:
    “DarkMutate”: Before encrypting, the ransomware downloads the PowerShell-based file-less loader “DarkMutate.ps1” that recompiles itself in-memory to evade runtime scanning.
    gdb.log exfiltration: A list of successfully encrypted files (gdb.log) is exfiltrated to a Firebase Storage bucket, which affiliates use for double-extortion negotiations.
  • Broader Impact:
    • Targeted local government offices, French hospital networks, and WordPress hosting providers in Europe.
    • Notably, DarkEncryptor affiliates commonly attempt to deploy Havoc C2 post-deployment for lateral movement and data staging.

Free decryptor download mirrors (SHA-256 802a8d1d9b241b13d005b5cf97ffc24f), behavioural hashes for EDR blocking, and a full IOC list can be found at: https://github.com/darki-inc/darkset-resource