A sophisticated new ransomware strain has emerged in the cybersecurity landscape, demonstrating advanced evasion techniques and destructive capabilities that pose significant risks to organizations worldwide.
The Dark 101 ransomware represents a concerning evolution in malware design, utilizing an obfuscated .NET binary to execute a multi-stage attack that systematically dismantles victim systems’ recovery mechanisms while ensuring maximum damage and persistence.
The malware operates through a carefully orchestrated infection chain that begins with environmental detection and proceeds through file encryption, system modification, and ransom deployment.
Its primary objectives include encrypting personal files, eliminating backup copies and catalogs, disabling critical system recovery features, and blocking access to Task Manager to prevent user intervention.
The ransomware ultimately demands Bitcoin payment for file decryption, following established criminal monetization patterns.
Fortinet analysts identified this threat through comprehensive behavioral analysis using FortiSandbox 5.0, which successfully captured the malware’s complete attack sequence despite its sophisticated evasion techniques.
The researchers documented how the ransomware attempts to detect analysis environments by checking execution location, introducing deliberate delays when running outside expected directories.
The malware demonstrates particular sophistication in its approach to system compromise, copying itself into the %Appdata% folder while adopting the trusted filename “svchost.exe” to masquerade as a legitimate Windows system process.
This technique exploits user trust and automated security tool recognition patterns, as the genuine svchost.exe typically resides in C:\Windows\System32.
Registry Manipulation and Recovery Disabling
Dark 101’s most destructive capability lies in its systematic elimination of recovery options through targeted system commands and registry modifications.
.webp)
The ransomware executes a series of commands designed to permanently remove restoration possibilities, including “vssadmin delete shadows /all /quiet,” “wmic shadowcopy delete,” and “wbadmin delete catalog -quiet.”
These commands effectively eliminate Volume Shadow copies and Windows Backup catalog entries, severing access to previous file versions and system image backups.
Simultaneously, the malware modifies the Windows Registry by setting the DisableTaskMgr value to 1 under the HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System key.
This modification prevents users from accessing Task Manager, hindering their ability to terminate malicious processes or monitor system activity.
The registry change demonstrates the ransomware’s understanding of user behavior patterns and its commitment to maintaining persistence throughout the encryption process.
The malware’s file targeting strategy focuses on user-accessible directories containing personal and sensitive data while avoiding critical system files that could cause system instability.
Once encryption begins, files receive randomly generated four-character extensions, and ransom notes named “read_it.txt” are deployed across affected directories, demanding $1,500 in Bitcoin payment.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
