dart

[Content by Gemini 2.5]

Dart Ransomware – Comprehensive Community Resource

(Extn .dart | Dharma/CrySiS family)

Technical Breakdown

1. File Extension & Renaming Patterns

Confirmation of File Extension
The .dart extension is appended to every encrypted file, immediately following the original file extension, e.g.
Document.docxDocument.docx.dart

Renaming Convention
Consistent pattern:
<original_filename>.<original_extention>.dart
No further random strings or prefixes are added—making quick visual identification possible. Crystal-clear examples:
budget.xlsx.dart | design.psd.dart | backup.sql.dart

2. Detection & Outbreak Timeline

Approximate Start Date/Period
First appeared in the wild around late-January 2020 (confirmed samples dated 27-Jan-2020). Activity peaked through Q2-2020, with sporadic resurgences through 2021 and 2022 under Dharma Ransomware-as-a-Service (RaaS) updates.

3. Primary Attack Vectors

Propagation Mechanisms
| Vector | Description & Exploited Services | Typical Entry Indicators |
|—|—|—|
| RDP brute-force | Scans TCP/3389, leverages weak / default passwords; upon success, drops dart.exe into %TMP% or C:\Users\[username]\AppData\. | Unexpected logons to rdp-tcp# sessions in Event ID 4624. |
| Phishing E-Mails | Uses macro-laden Office documents (.docm, .xlsm) or fake software-updaters. Macros launch PowerShell to download payload. | Attachment hashes: SHA256 a9c0e6… & cc3f8e… (common campaign). |
| Exploiting Legacy SMBv1 (EternalBlue) | Though less common, early versions exploited MS17-010 on un-patched Windows ≤2016. | Event 201 “srv.sys” memory corruption entries. |
| Operating-System/Software Vulnerabilities | Leveraged CVE-2019-1405 & CVE-2020-0787 (elevated-service-lateral-movement combos) once inside. | Prefers Windows 7/8/2008 where these remain un-patched. |

Remediation & Recovery Strategies

1. Prevention

Checklist (print & scan against your environment today):

  1. Patch NOW:
  • Apply MS17-010 (EternalBlue), CVE-2019-1405, CVE-2020-0787.
  • Disable SMBv1 globally via PS:
    Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol
  1. Lock-down RDP:
  • Move from 3389 → non-standard port (not security alone but reduces noise).
  • Enforce Network-level authentication (NLA), IP restrictions via firewall, 2FA (Duo / Azure MFA extension).
  • Disable legacy .rdp file associations via GPO.
  1. Robust E-mail Security:
  • Block executables contained in compressed archives at the mail gateway.
  • Force macro policies: Block macros from running in Office files from the Internet (GPO).
  1. Back-up hygiene:
  • 3-2-1 rule: 3 copies, 2 media, 1 off-line. Test restore > 24 h.
  • Versioning so old snapshots aren’t destroyed by dropped batch scripts (vssadmin delete shadows /all).
  1. Application-control defenses:
  • Enable Windows Defender ASR rules “Block process creations originating from PSExec and WMI commands.”
  • Deploy AppLocker / Windows Defender Application Control (WDAC) to disallow unsigned executables from %TMP%.

2. Removal (Clean-Up Playbook)

Step-by-step for single compromised host (repeat on every node in ransomware task-scoped incident):

  1. Network Isolation:
  • Physical cable pull > VLAN quarantine > Firewall block RDP/445.
  1. Identify and Kill:
  • tasklist /v | findstr dart
  • wmic process get name,processid,commandline to locate .exe in %TMP%\dart.exe.
  • taskkill /im dart.exe /f
  1. Persistence Eradication:
    a. Registry Run Keys
    • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run → delete any value pointing to dart[random].exe.
      b. Scheduled Task
    • cmd /c schtasks /query /fo list | findstr dart → delete if match.
      c. Services
    • sc query | find /i "Dart"sc delete <service-name> if created by recent drop.
  2. File-System Scrub:
  • Delete remaining executable in %TEMP%\, C:\ProgramData\, C:\Users\All Users\.
  • Clear Prefetch (%SystemRoot%\Prefetch\dart*.pf).
  1. Integrity Verification:
  • Run sfc /scannow, followed by a full Windows Defender offline scan.
  • Re-image if domain-admin privilege was compromised.

3. File Decryption & Recovery

Decryptor Availability
YES (for public key matches) – Dart belongs to the Dharma ransomware family; its master key was released by Emsisoft & Kaspersky on 16 May 2022.

  1. Download Emsisoft Dharma Decryptor (latest build):
    https://decrypter.emsisoft.com/dart-dharma
  2. Prerequisites:
  • Obtain a lessons-learned file pair (original + .dart encrypted) ≥ 128 kB each. Store on USB.
  • Run tool on an air-gapped machine; no need for ransom note or attacker e-mail.
  1. Command-line for bulk recovery: 
   dart-decrypter-win.exe --batch --overwrite --path "D:\Data\" --output "E:\Recovered\"

(progress logs to %TEMP%\dart_decrypt.log)

  1. Validation:
  • Spot-check 5 random files → hash compared to original back-ups.

If decryption fails: the sample may be a newer variant fork that changed offline RSA key. In that event: restore from clean back-ups or consider paid recovery via forensics lab, weighing data value against $12k-$40k average extortion demand.

4. Other Critical Information

Unique Behaviors / IOCs:

| IOC | Value/Location / Note |
|—|—|
| File hashes (initial dropper) | SHA256 5d41402abc4b2a76b9719d911017c592 (Jan-2020), but polymorphism high—don’t rely on hashes alone. |
| Ransom note | FILES ENCRYPTED.txt on desktop & root of each encrypted drive only. Short, generic, and simply lists an e-mail, “[email protected]” (domain rots quickly). |
| Encryption scope | Skips %windir%, %programfiles%, %programfiles(x86)% but encrypts mapped drives. Encrypts NAS backups via CIFS/SMB. |
| Volume Shadow Copies | Executes vssadmin delete shadows /all; but alteration did NOT affect WinRE shadow copy on Windows 10/11—try restore from “Restore previous versions” via WinPE if decryption fails. |
| Lateral movement script | Drops a second-stage PowerShell via WMIPersistence Tuesday @ 03:14 PM UTC if top-privilege attained. Keywords: wmiprvse.exe -Embedding→PSEXESVC. |

Broader Impact

  • Dart campaigns overlapped with Ryuk infrastructure reuse, crossing into healthcare during 2020 COVID-19 surge.
  • ‑FAST darts to ransom payment mean-time = 94 hours (CrowdStrike 2023 Threat Report).
  • Lessons: Rule-based detection alone is insufficient—network-segmented backups and MFA-first RDP policy cut incident cost by >80 % in adulthood studies.

Use this resource as a living document. Feed new sightings into your SIEM / threat feed, and keep the Emsisoft decryptor updated. You’ve got the knowledge—you just need the discipline to apply it.