Introduction

The FortiGuard Labs team recently identified a ransomware that belongs to the Dark 101 malware family. The ransomware is delivered as an obfuscated .NET binary with the objectives of encrypting the victim’s personal files, deleting backup copies and the backup catalog, disabling recovery mode and Task Manager, and ultimately demanding a ransom payment in Bitcoin to decrypt the files. All behavioral data presented in this article was obtained from a Sandbox report, while additional reverse engineering was conducted to uncover further capabilities of the malware.

Analysis

The FortiSandbox report documented the malware's behavior and provided visual aids to support the analysis. The following Tree View diagram (Figure 1) illustrates the execution sequence, outlining the chronological order of actions and processes initiated by the ransomware. The visual representation provides valuable insights into the malware’s operational flow, allowing users to track its behavior and comprehend its execution logic. Additionally, suspicious indicators triggered during the analysis were recorded (Figure 2), offering further context and aiding in the identification of suspicious and malicious activities.

Figure 1: Chain of execution of the ransomware

Figure 2: Indicators with severity and technique

Figure 3: Implementation of the sleepOutOfTempFolder function used for evasion

Figure 4: The renamed svchost.exe process in %Appdata% flagged as high risk due to its impersonation of a critical system process.

Figure 5: Execution of vssadmin and wmic commands to delete all Volume Shadow Copies

Figure 6: Execution of the wbadmin delete catalog command to remove the Windows Backup catalog

The first two commands remove all Volume Shadow copies, which are typically used by the system to restore previous versions of the files. The third command deletes the Windows Backup catalog, effectively severing access to any system image backups that may have been created. By chaining these commands together, the ransomware ensures that both shadow copies and formal backup metadata are eradicated, leaving the victim with no local recovery option.

Following the execution of vssadmin, wmic, and wbadmin commands to eliminate recovery options, the Dark 101 ransomware proceeds to disable Task Manager by modifying the Windows Registry. It sets the DisableTaskMgr value under the HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System key to 1, which prevents users from launching the Task Manager. This tactic is commonly used to hinder user intervention, making it more difficult to terminate the ransomware process or inspect running activity. By restricting access to a critical system tool, the malware increases its persistence.

Figure 7 shows the registry modification captured during execution.

Figure 7: Registry modification used to disable Task Manager by setting DisableTaskMgr to 1 under the current user’s policies

After disabling recovery mechanisms and system utilities, the ransomware begins scanning the file system directories for targets to encrypt. It targets user-accessible locations that are likely to contain personal or sensitive data, while avoiding critical system files and directories to prevent system instability. The ransomware maintains a predefined list of file extensions that are associated with documents, images, archives, databases, and other valuable content. Only files matching these extensions are selected for encryption, maximizing impact while minimizing the risk of a system failure.

Once a file is identified and deemed valid for encryption, the ransomware encrypts its content and appends a randomly generated four-character extension to the filename. This not only renders the file unusable but also serves as a marker indicating successful encryption. Figure 8 displays a partial list of file extensions targeted during the encryption

Figure 8: List of file extensions targeted by the Dark 101 ransomware for encryption

Figure 9: Sample of the encrypted files, each renamed with a random four-character extension.

Figure 10: A Ransom note (read_it.txt) dropped by the Dark 101 ransomware, demanding payment in Bitcoin

With the ransom note deployed and encryption complete, the execution phase of the Dark 101 ransomware is complete. At this point, the malware has disabled recovery options, encrypted valuable files, and left payment instructions to coerce the victim into compliance. FortiSandbox successfully captured each stage of the attack—from evasion and execution to encryption and extortion, enabling comprehensive behavioral analysis and the extraction of threat intelligence.

MITRE ATT&CK

The table below lists the techniques used by the ransomware.

Summary 

This analysis of Dark 101 ransomware highlights the sophistication of modern malware and the need for proactive defense. FortiSandbox effectively detects and documents malicious behavior, showcasing its critical role in protecting against evolving cyber threats.

Fortinet Protections

The malware described in this report is detected and blocked by FortiGuard Antivirus as:

MSIL/Kryptik.SAC!tr.ransom

The FortiGuard AntiVirus engine is part of the FortiGate, FortiMail, FortiClient, and FortiEDR solutions. Customers who have these products with up-to-date protections are protected.

FortiGuard Sandbox service detects the ransomware file as High Risk in the Ransomware category.

We also suggest that our readers go through the free NSE training: NSE 1 – Information Security Awareness, a module on Internet threats designed to help end-users learn how to identify and protect themselves from phishing attacks.

If you believe this or any other cybersecurity threat has impacted your organization, please contact our Global FortiGuard Incident Response Team.

IOCs

MD5sum:

ae3dd3d1eedb6835e6746d51d9ab21c6 

Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = 1 

Command line:

Vssadmin delete shadows /all /quiet
Wmic shadowcopy delete
Wbadmin delete catalog –quiet

Related Files:

%APPDATA%\svchost.exe
Read_it.txt