Skip to content

Hide Navigation Hide TOC

darkrace (b6aa46b3-46f5-522f-931f-b1ac57e8aadc)

DarkRace is a moderately destructive ransomware strain observed since 2024. It encrypts files and appends a randomized extension (e.g., .1352FF327) that varies per victim. Implemented as a 32-bit Windows application, it disables antivirus defenses, deletes volume shadow copies, terminates processes, and drops ransom note files for payment negotiation. Technical weaknesses in its encryption have enabled developers to produce a universal decryptor that works against DarkRace and related variants.

Cluster A Galaxy A Cluster B Galaxy B Level
darkrace (b6aa46b3-46f5-522f-931f-b1ac57e8aadc) Ransomware donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 1
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Scripting - T1064 (7fd87010-3a00-4da3-b905-410525e8ec44) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern 3
Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 3