Dark 101 Ransomware Deploys .NET Payload to Cripple Recovery Mode and Task Manager

The FortiGuard Labs team has uncovered a new ransomware variant, identified as “Dark 101,” which aligns with the persistent Dark 101 malware family.

This threat is distinguished by its obfuscated .NET binary payload, deliberately engineered to encrypt user files, eliminate built-in Windows recovery routes, and prevent administrative intervention all while coercing victims for ransom in Bitcoin.

The analysis was conducted with behavioral data collected from FortiSandbox, alongside in-depth reverse engineering to unravel the ransomware’s full capabilities.

The infection chain commences with stringent anti-analysis measures. On execution, the ransomware inspects if it is running outside the designated %Appdata% directory.

Should this check fail, the malware introduces a 10-second delay to jeopardize sandbox-based detection that does not simulate realistic user environments.

FortiSandbox, however, bypassed this evasion technique, granting unhindered transparency into the ransomware’s subsequent actions.

Dark 101 then replicates itself into the %Appdata% folder, renaming its executable to “svchost.exe,” a callous impersonation of the legitimate Windows system process located in C:\Windows\System32.

This tactic reduces detection by naive users and even some security controls, while FortiSandbox’s behavioral analytics flagged the process due to its suspicious location and activities.

Disruption of Recovery

Once established, the ransomware methodically disables all feasible recovery mechanisms.

It launches a sequence of destructive system commands: vssadmin delete shadows /all /quiet and wmic shadowcopy delete purge all Volume Shadow Copies an avenue normally leveraged to restore previous file versions.

Subsequently, it issues wbadmin delete catalog –quiet to obliterate the Windows Backup catalog, erasing metadata for system image backups. This crippling loss leaves the victim with few, if any, local recovery options.

The malware further engrains itself by undermining user defenses. Dark 101 disables the Task Manager through registry modification, setting HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = 1.

This registry alteration prevents users from launching the Windows Task Manager, thus impeding the visibility and termination of malicious processes.

Ransom Demand

With evasive and destructive measures in place, Dark 101 initiates its encryption routine, conducting a thorough scan of user-accessible directories and focusing on specific file types.

Extensions associated with documents, images, databases, and archives become prime targets, while system and application files are intentionally skipped to avoid operational disruption of the host, thereby maximizing the likelihood of ransom payment.

Files are encrypted and renamed with a randomly generated, four-character extension, marking them as compromised. In each affected directory, the malware drops a ransom note entitled “read_it.txt.”

The extortion message instructs victims on obtaining decryption by sending payments in Bitcoin, often providing a unique identifier or attacker contact email to establish communication and streamline the extortion process.

According to the Report, Dark 101’s behavioral footprint was comprehensively observed in FortiSandbox, providing a detailed playbook for defenders.

The ransomware is reliably detected and blocked as “MSIL/Kryptik.SAC!tr.ransom” by FortiGuard Antivirus, ensuring coverage for FortiGate, FortiMail, FortiClient, and FortiEDR customers, provided protections remain current.

The ransomware is also tagged as High Risk within sandbox environments, further enhancing automated computational defenses.

Organizations are urged to keep their security solutions up to date and to engage incident response teams promptly if compromise is suspected.

Key Indicators of Compromise (IOCs)

Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant updates