Skip to content

Hide Navigation Hide TOC

darkrace (b6aa46b3-46f5-522f-931f-b1ac57e8aadc)

DarkRace is a moderately destructive ransomware strain observed since 2024. It encrypts files and appends a randomized extension (e.g., .1352FF327) that varies per victim. Implemented as a 32-bit Windows application, it disables antivirus defenses, deletes volume shadow copies, terminates processes, and drops ransom note files for payment negotiation. Technical weaknesses in its encryption have enabled developers to produce a universal decryptor that works against DarkRace and related variants.

Cluster A Galaxy A Cluster B Galaxy B Level
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware darkrace (b6aa46b3-46f5-522f-931f-b1ac57e8aadc) Ransomware 1
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 2
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Scripting - T1064 (7fd87010-3a00-4da3-b905-410525e8ec44) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196) Attack Pattern 2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92) Attack Pattern 2
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Indirect Command Execution - T1202 (3b0e52ce-517a-4614-a523-1bd5deef6c5e) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
donex (bc89266b-31d5-5627-9d1d-822ff84792be) Ransomware Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92) Attack Pattern 3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 3