Ransom.Win32.DARKSIDE.FAIN

April 21, 2021

Analysis by: Clive Fuentebella

ALIASES:

TScope.Trojan.Delf (VBA32)

PLATFORM:

Windows

OVERALL RISK RATING:

DAMAGE POTENTIAL:

DISTRIBUTION POTENTIAL:

REPORTED INFECTION:

INFORMATION EXPOSURE:

Threat Type: Ransomware
Destructiveness: No
Encrypted: Yes
In the wild: Yes

OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It drops files as ransom note. It avoids encrypting files with the following file extensions.

TECHNICAL DETAILS

File Size: 2,134,528 bytes

File Type: EXE

Memory Resident: Yes

Payload: Modifies system registry, Terminates processes

Arrival Details

This Ransomware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Ransomware drops the following files:

%AppDataLocal%\{Random characters}.ico (Icon for encrypted files)

(Note: %AppDataLocal% is the Local Application Data folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Application Data on Windows 2000(32-bit), XP, and Server 2003(32-bit), or C:\Users\{user name}\AppData\Local on Windows Vista, 7, 8, 8.1, 2008(64-bit), 2012(64-bit) and 10(64-bit).)

It adds the following processes:

{Malware file path and name}

Other System Modifications

This Ransomware adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
.{Random characters}
(Default) = {Random characters}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
{Random chracters}\DefaultIcon
(Default) = %AppDataLocal%\{Random characters}.ico

Process Termination

This Ransomware terminates the following services if found on the affected system:

vss
sql
svc$
memtas
mepocs
sophos
veeam
backup
GxVss
GxBlr
GxFWD
GxCVD
GxCIMgr

It terminates the following processes if found running in the affected system's memory:

sql
oracle
ocssd
dbsnmp
synctime
agntsvc
isqlplussvc
xfssvccon
mydesktopservice
ocautoupds
encsvc
firefox
tbirdconfig
mydesktopqos
ocomm
dbeng50
sqbcoreservice
excel
infopath
msaccess
mspub
onenote
outlook
powerpnt
steam
thebat
thunderbird
visio
winword
wordpad
notepad

Other Details

This Ransomware does the following:

It empties the recycle bin.
It deletes shadow copies.

Ransomware Routine

This Ransomware avoids encrypting files with the following strings in their file path:

$recycle bin
config.msi
$windows.~bt
$windows.~ws
windows
appdata
application data
boot
google
mozilla
program files
program files (x86)
programdatasystem
volume information
tor browser
windows.old
intel
msocache
perflogs
x64dbg
public
all users
default
autorun.inf
boot.ini
bootfont.bin
bootsect.bak
desktop.ini
iconcache.db
ntldr
ntuser.dat
ntuser.dat.log
ntuser.ini
thumbs.db

It drops the following file(s) as ransom note:

{Encrypted folder}\README.{Random characters}.TXT

It avoids encrypting files with the following file extensions:

386
adv
ani
bat
bin
cab
cmd
com
cpl
cur
deskthemepack
diagcab
diagcfg
diagpkg
dll
drv
exe
hlp
icl
icns
ico
ics
idx
ldf
lnk
mod
mpa
msc
msp
msstyles
msu
nls
nomedia
ocx
prf
ps1
rom
rtp
scr
shs
spl
sys
theme
themepack
wpx
lock
key
hta
msi
pdb
{Appended extension}

SOLUTION

Minimum Scan Engine: 9.800

FIRST VSAPI PATTERN FILE: 16.572.03

FIRST VSAPI PATTERN DATE: 03 Mar 2021

VSAPI OPR PATTERN File: 16.573.00

VSAPI OPR PATTERN Date: 04 Mar 2021

Step 1

Trend Micro Predictive Machine Learning detects and blocks malware at the first sign of its existence, before it executes on your system. When enabled, your Trend Micro product detects this malware under the following machine learning name:

Troj.Win32.TRX.XXPE50FFF042

Step 2

Before doing any scans, Windows 7, Windows 8, Windows 8.1, and Windows 10 users must disable System Restore to allow full scanning of their computers.

Step 3

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 4

Restart in Safe Mode

[ Learn More ]

Step 5

Delete this registry value

[ Learn More ]

Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.

In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.{Random characters}
- (Default)={Random characters}
In HKEY_LOCAL_MACHINE\SOFTWARE\Classes\{Random chracters}\DefaultIcon
- (Default)=%AppDataLocal%\{Random characters}.ico

Step 6

Search and delete these files

[ Learn More ]

There may be some files that are hidden. Please make sure you check the Search Hidden Files and Folders checkbox in the "More advanced options" option to include all hidden files and folders in the search result.

%AppDataLocal%\{Random characters}.ico (Icon for encrypted files)

{Encrypted folder}\README.{Random characters}.TXT

Step 7

Restart in normal mode and scan your computer with your Trend Micro product for files detected as Ransom.Win32.DARKSIDE.FAIN. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 8

Restore encrypted files from backup.

Did this description help? Tell us how we did.

Ransom.Win32.DARKSIDE.FAIN

OVERVIEW

TECHNICAL DETAILS

SOLUTION

Trend Vision One™ - Proactive Security Starts Here.

Resources

Support

About Trend

Country Headquarters