DARKKUR Ransomware Encrypts Victim Systems

DARKKUR represents a form of ransomware that operates by encrypting data and then demanding a ransom in exchange for the decryption process. This specific type of malware alters the filenames of encrypted files by appending them with a unique ID specific to the victim, the email address of the cybercriminals, and an extension.

The extension utilized varies depending on the variant of the ransomware and can include extensions like ".timecrystal1," ".DARKKUR1," and ".DarkCrypt." For example, during testing on our machine, the variant with the ".timecrystal1" extension transformed a file named "1.jpg" into "1.jpg.[AE3419DE[TimeCrystal@zohomail.eu].timecrystal1".

Upon completing the encryption procedure, DARKKUR generates and displays ransom notes in two formats: a pop-up window labeled "info.hta" and a text file named "ReadMe.txt." These ransom notes convey the same information but employ different wording. They inform the victims that their files have been encrypted and that the only way to regain access to the locked data is by purchasing the necessary decryption keys/tools from the attackers.

The size of the ransom is not specified in either message, but both emphasize that it must be paid using the Bitcoin cryptocurrency. Before making the payment, victims have the option to test the decryption process by sending two encrypted files to the cybercriminals, adhering to certain specifications.

Furthermore, the ransom notes caution against altering the affected files or employing third-party decryption tools, as such actions may lead to permanent data loss.

DARKKUR Ransom Note Promises Decryption of Two Files

The full text of the DARKKUR ransom note reads as follows:

All your files have been encrypted by DARKKUR!

due to a security problem with your PC. If you want to restore them, write us to the e-mail TimeCrystal@skiff.com
Write this ID in the title of your message:-
In case of no answer in 24 hours write us to this e-mail:TimeCrystal@zohomail.eu
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the tool that will decrypt all your files.

Free decryption as guarantee
Before paying you can send us up to 2 files for free decryption. The total size of files must be less than 4Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
hxxps://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
hxxp://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

How Are Ransomware Payloads Like DARKKUR Usually Distributed?

Ransomware payloads like DARKKUR are typically distributed through various methods, with cybercriminals employing tactics to maximize their reach and infect a large number of systems. Some common distribution methods include:

• Phishing Emails: Cybercriminals often send out phishing emails disguised as legitimate messages from reputable organizations or individuals. These emails may contain malicious attachments, such as infected documents or executable files, or they may include malicious links that lead to the download of the ransomware payload.
• Malicious Downloads: Ransomware can be distributed through malicious downloads from compromised or malicious websites. This can include fake software updates, cracked software, pirated content, or downloads from untrustworthy sources.
• Exploit Kits: Cybercriminals take advantage of software vulnerabilities in popular applications, such as web browsers, to deliver ransomware payloads. They use exploit kits, which are automated tools that identify and exploit these vulnerabilities, enabling the malware to be downloaded and executed on the victim's system without their knowledge.
• Remote Desktop Protocol (RDP) Attacks: Ransomware attackers may target systems that have weak or poorly configured Remote Desktop Protocol (RDP) connections. By gaining unauthorized access to the system, they can manually install and execute the ransomware payload.
• Malvertising: Cybercriminals utilize malicious advertising (malvertising) to distribute ransomware. They inject malicious code into legitimate online advertisements, which, when clicked on, redirects the user to a website that hosts the ransomware payload.
• Drive-by Downloads: In this method, ransomware is delivered through compromised websites. When a user visits an infected website, the ransomware payload is automatically downloaded and executed on their system without their interaction or knowledge.

It's important to note that these are just some of the common methods used for ransomware distribution. Attackers are constantly evolving their techniques and exploring new avenues to distribute ransomware and maximize their chances of infecting vulnerable systems. Therefore, it's crucial to exercise caution, maintain up-to-date security software, and practice good cybersecurity hygiene to minimize the risk of falling victim to ransomware attacks.