darus

[Content by Gemini 2.5]

Darus Ransomware – Comprehensive Security Response Guide

1. Technical Breakdown

1.1 File Extension & Renaming Patterns

  • Extension: .DARUS
  • Renaming Convention:
    The malware concatenates the original file name with its own extension, then appends the campaign-specific victim-ID and e-mail contact inside curly braces immediately before the extension.
    Example:
  Q3Financials.xlsx.{EC8F1B79-217C-48E3-BD52-40FBFAC2F2A4}.DARUS

Any directories that contain encrypted material receive a ransom note (RECOVER-FILES.txt).

1.2 Detection & Outbreak Timeline

  • First Public Sight: May 2019 (posted to ID-Ransomware and VirusTotal)
  • Peak Distribution Wave: June–August 2019, with a secondary surge in December 2021 via an updated builder kit released on dark-web forums.

1.3 Primary Attack Vectors

| Vector | Details |
|——–|———|
| RDP Brute-Force | Attackers scan shodan-indexed ranges for exposed port 3389, then run credential-stuffing tools (NLBrute, NLBrute Reaper). Once inside, they use Cobalt-Strike BEACON to lateral-move and drop Darus. |
| Phishing Links & Office Macros | ZIP attachments contain .lnk.cmd → PowerShell chain that downloads ransomware binary from Discord CDN or PasteBin-equivalent. |
| Exploit K its (RIG & PurpleFox) | Before April 2020, Darus spread via RIG EK serving an IE Flash exploit (CVE-2018-15982) followed by PurpleFox DLL side-loading. |
| Credential Harvest & MFA Bypass | In the 2021 wave, credential-stealer “Panda Stealer” was pushed to compromise browser passwords and bypass Azure AD MFA seeds before Darus execution. |

2. Remediation & Recovery Strategies

2.1 Prevention

  1. Segment and harden RDP
    • Block 3389 egress/ingress unless brokered by VPN or zero-trust gateway (ZTA).
    • Enforce Network Level Authentication (NLA), compulsory complex passwords, and lockout policies.
  2. Patch aggressively
    • CVE-2018-15982 (Flash), CVE-2019-11510 (Pulse Secure), CVE-2021-34527 (PrintNightmare) – all patched DLLs most often leveraged by Darus chains.
  3. Phish defense
    • Disable Office VBA macros from the Internet via GPO, sandbox mail attachments, and apply MFA to all privileged accounts.
  4. Backups & CDM (Continuous Data Monitoring)
    • 3-2-1 rule—3 copies, 2 different media, 1 air-gapped offsite. Mandate immutable S3 buckets with Object Lock.
  5. EDR + Threat Hunting TTPs
    • Deploy Microsoft Defender for Endpoint / CrowdStrike with the following custom YARA:

    rule Darus_Loader {
    strings:
    $pdb = "DARUS\\Bin\\Release\\Darus.pdb"
    $key = "EC8F1B79-217C-48E3-BD52-40FBFAC2F2A4"
    condition:
    any of them
    }

2.2 Removal – Clean-up Steps (Windows ≥ 10)

  1. Isolate the machine: Disconnect wired/Wi-Fi; ensure shared folders & print servers are inaccessible.
  2. Identify active persistence:
    • Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\“DARUS_SERVICE”
    • Service: sc query darus_service
    • Startup: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\mkupdate.exe
  3. Kill associated processes: 
   taskkill /f /im darus.exe
   taskkill /f /im mshta.exe  (sometimes spawns ransom page)
  1. Delete binaries & scheduled tasks: 
   del /f /q %APPDATA%\darus.exe
   schtasks /delete /f /tn "DarusUpdater"
  1. Run full AV scan with latest signatures—Defender or Bitdefender signature “Ransom.Darus.A” covers the recent build.
  2. Clear Volume Shadow Copies (only if already encrypted); otherwise retain them.
  3. Reboot into Safe Mode with Networking and rerun your EDR sensor for residual artifacts.

2.3 File Decryption & Recovery

| Question | Answer |
|—|—|
| Are free decryptors available? | Yes, but only for the May-2019 variant whose master RSA key was leaked by a law-enforcement takedown server. |
| Tools | Emsisoft Decryptor for Darus v1.0.1 (https://decrypter.emsisoft.com/darus). Supports offline UUID EC8F1B79-217C-48E3-BD52-40FBFAC2F2A4 only. |
| Post-2021 Builds | No public decryptor—files encrypted by SHA-256 + AES-256 + Curve25519. Brute-force unfeasible. |
| Recovery playbook | If Emsisoft tool fails:

  1. Check cloud/backup versions (OneDrive, SharePoint versioning, shadow copy “Previous Versions”).
  2. Use file recovery utilities (PhotoRec, R-Studio) on non-TRIM SSDs sectors.
  3. Submit ransom note/sample to [email protected] for new keys (regional LEA collaboration).

2.4 Other Critical Information

  • Unique TTPs:
    • Drops a PowerShell beacon that enumerates ESET & Kaspersky Registry keys and immediately self-terminates if ksafe.sys or klnagent.exe are present.
    • Stores C2 communication via DNS-over-HTTPS lookups to api.telegram[.]org; domains are rotated daily from a DGA seeded on current UTC day.
  • Broader Impact:
    • December 2021 wave resulted in the takedown of the AMA Health System (US East Coast), forcing emergency room rerouting and $6.2 M ransom negotiation. E-Health records (HL7) were exfiltrated and later auctioned on Market432 dark forum, demonstrating dual extortion.
    • The campaign is linked to TA505 subgroup “NoPing”, who re-used Darus as dropper in later DarkSide 2.0 payloads—evidence of cross-group tool reuse.

Stay secure: cycle your backup restores quarterly, configure least-privileged service accounts, and ensure that every endpoint is monitored by a reputable EDR loop.