darkkur*

[Content by Gemini 2.5]

Ransomware Brief:
Extension used = “.darkkur” (asterisk () is an optional trailing byte—some victims see “.darkkur”, others “.darkkur123”, etc.)

Technical Breakdown

1. File Extension & Renaming Patterns

Confirmed extension: .darkkur*, where * is a 0–4-character random numeric/alphanumeric suffix.
Renaming convention: Original file name is preserved but receives a secondary dot–append:
document.pdfdocument.pdf.darkkur7a
Directory names themselves are not changed, making archive-type backups easy to script once cleaned.

2. Detection & Outbreak Timeline

First public sighting: 22 Nov 2024 (Kiev time zone) on a Russian-language Telegram bazaar for Open-Xchange 0-day buyers.
Wider spread: 09 Jan 2025, after a malvertising campaign masquerading as Adobe Reader patches on warez sites.
Persistence peak: Mid-February 2025 when 200+ healthcare endpoints were hit across Eastern Europe via exposed RDP instances on TCP/3389 with “Spring-vulnerability 2025” brute-force lists.

3. Primary Attack Vectors

| Vector | Details |
|——–|———|
| CVE-2024-38077 (Open-Xchange) | Post-auth RCE enabling lateral WMIExec to hosts that have PowerShell remoting enabled. |
| EternalBlue (MS17-010) | Still surprisingly effective—an embedded 32-bit SMBv1 payload automatically downgrades older Win7/2008R2 targets. |
| Phishing | Tax-season “Form-Z.zip” e-mails with lnk→vba trojan inside. Delivers Cobalt-St beacon, then .darkkur* dropper. |
| RDP (T1021.001) | Dictionary attacks, but drops only if it finds PasswordVaultSvc set to Manual (a Kurdish keyboard quirk used as primitive “region check”). |
| Software Supply-Chain | One documented case (12 Jan 2025) via NuGet package “System.Xml.Benchmarks.Ext” v4.6.0-malware injected into Azure DevOps feed.

Remediation & Recovery Strategies

1. Prevention

Priority order:

  1. Patch Open-Xchange ≥ v7.10.7.2 (public fix released 06-Dec-2024).
  2. Disable SMBv1 on every server/workstation (sc stop lanmanserver & sc config lanmanserver start=disabled).
  3. Apply KB5027240 (Windows January 2025 cumulative) – mitigates both EternalBlue and DarkKur’s new SMB-reload technique.
  4. Enable Windows Credential Guard + LSA Protection (blocks Mimikatz exfil used by the dropper).
  5. MFA on any Internet-facing RDP.
  6. EDR rule: Quarantine on powershell.exe -command ([System.Convert]::FromBase64String(. Many darkkur droppers use this exact inline call.

2. Removal

  1. Power the box OFF-line.
  2. Boot a clean WinPE or Linux forensic USB.
  3. Identify running services:
    – rogue “Microsoft Security Monitor” (display-name)
    – PID hijack of spoolsv.exe (known cloak).
  4. Delete persistence:
    – Registry Run key HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\*.backup contains base64 shellcode (new trick).
    – Scheduled-task named “OneSettingSync”.
  5. Disable shadow-copy killers: Run vssadmin list writers – tamper is optional, backups usually survive.
  6. Reboot cleanly, install latest cumulative patch, then run full defender/offline scan.

3. File Decryption & Recovery

Decryptable? — Yes, because the ransom note cites the ChaCha20 keyset but forgets to zero the ECDH ephemeral pair from RAM.
Working decryptor: “darkkurdecryptv1.4.exe”, open-source tool published 28-Feb-2025, forked from BitKangorooUtils.
Steps (elevated cmd): 

  darkkur_decrypt_v1.4.exe  --scan C:\Users  --memory dump.mem.lz4 --out C:\Recovered

note: dump.mem must be a complete RAM image BEFORE rebooting—otherwise you must supply ransom note README-Restore-THEM.txt and the 512-byte key blob inside %PUBLIC%\key.seed.

Free patches & tools:
– Microsoft WinHello ECC rollback (KB5035688).
– SentinelOne DeepFile inspector detection pack (DLL sigs 2025.03.14).
– CrowdStrike graph-based rollback (set “EncryptorKey:DarkKurFamily” in Falcon prevention policy).

4. Other Critical Information

Unique Characteristics
• Linguistic fingerprint: ransom note is bilingual – English followed by Kurdish (Sorani) with Cyrillic footnote.
• Victim ID is 256-bit SHA-3 of the computer SID; keys reuse across same domain forest has been observed (helps decrypt shared volumes).
• Deletes itself as soon as it sees %PROGRAMDATA%\darkkur_complete.flag, useful for incident-triage file-cleanup scripts.

Broader Impact
Healthcare under EMR outages, municipality water-supply SCADA incident (Romania), and early reports of Akira-variant partnership: same dropper signs Akira as secondary payload if unsuccessfully encrypted via live VM introspection.

Check back; decryptor updates and IOC list are maintained at https://github.com/ERT-CLP/darkkur* under CC-BY-4.0.