Dark ransomware (virus) - Recovery Instructions Included

What is Dark ransomware?

Dark ransomware is a VoidCrypt variant that demands ransom payment for a decryption tool

Dark ransomware is a file-locking virus that affects all personal data

Dark ransomware is a data-encrypting virus that was made by cybercriminals for money extortion. This Windows virus enters users' machines using some kind of phishing methods, such as spam emails or repackaged software installers. Once on the system, it immediately looks for documents, databases, pictures, and other valuable files and ends up locking them with sophisticated encryption algorithms RSA and AES.^[1]

From this point in time, users can no longer open personal data on the system, although it is important to note that it's not corrupted. Each of the files is appended with .(ID)((Darksight@tutanota.com).dark extension, and are stripped from their default icons – blank icons are used instead. In order to unlock these files, the cybercriminals behind the attack are asking to pay a ransom in bitcoin, a highly anonymous digital currency.

For information purposes, the Dark ransomware virus delivers a ransom note titled unlock-info.txt. In it, users can find out the communication emails (Darksight@tutanota.com, darksight@mailfence.com) and what they need to do to recover their files. We recommend avoiding any contact with malicious actors, as the chance of being scammed remains relatively high.

VoidCrypt and its characteristics

Dark ransomware virus stems from quite a prominent malware family known as VoidCrypt, which first appeared on the web in the spring of 2020 from its predecessor Ouroboros malware. These ransomware variants have already been described by us previously and include names such as 1more, Linda, Moonshadow, and many others. Not all victims that pay the ransom receive the decryption tool, so cooperating with crooks behind this strain is quite risky.

This malware family is known for its usage of rather extensive combinations of extensions that are appended to the affected files. They usually incorporate a unique user ID, a contact email, and an extension such as Dark. While initial versions use a combination of AES and RSA to lock data, the encryption method may vary slightly from version to version.

The ransom note

The ransom note unlock-info.txt is delivered right after the file encryption process is complete. This is a very typical ransomware behavior – once the main job is finished, the malware authors are keen to let victims know what has happened to their files so they can hurry with the payment. Here's the full message of the Dark ransomware:

All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail; Darksight@tutanota.com
Write this ID in the title of your message :
In case of no answer in 24 hours write us to theese e-mails: darksight@mailfence.com
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.

Free decryption as guarantee
Before paying you can send us up to 1 file for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)

How to obtain Bitcoins
The easiest way to buy bitcoins is LocalBitcoins site. You have to register, click 'Buy bitcoins', and select the seller by payment method and price.
https://localbitcoins.com/buy_bitcoins
Also you can find other places to buy Bitcoins and beginners guide here:
http://www.coindesk.com/information/how-can-i-buy-bitcoins/

Attention!
Do not rename encrypted files.
Do not try to decrypt your data using third party software, it may cause permanent data loss.
Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

While the attackers are talking about being scammed, they are the people who can scam you. The illegal business practices alone should warrant you not trusting them, so we highly advise you not to communicate with them. If you agree to pay, it will show crooks that their operations work as intended and prompt them to exploit more innocent people. Instead, we advise trying alternative data recovery solutions we provide below.

Ransom note is delivered right after malware finishes the encryption process

Remove the virus

You should never attempt to recover your data straight away, as the infection could still be very active in your system to encrypt all the incoming files. While many ransomware infections self-destruct after performing the data locking process, they are also very well known for being spread along other malware or could use additional modules for data stealing or other malicious purposes.

Therefore, the first thing you should do is download and install SpyHunter 5Combo Cleaner, Malwarebytes, or another reputable security software and perform a full system scan. It would be best to disconnect your device from the network first – you can simply pull out your internet cable or disconnect the Wi-Fi connection. If this attempt is unsuccessful, you can access Safe Mode and remove the virus from there:

Windows 7 / Vista / XP

1. Click Start > Shutdown > Restart > OK.
2. When your computer becomes active, start pressing the F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
3. Select Safe Mode with Networking from the list.

Windows 10 / Windows 8

1. Right-click on the Start button and select Settings.
   
2. Scroll down to pick Update & Security.
3. On the left side of the window, pick Recovery.
4. Now scroll down to find the Advanced Startup section.
5. Click Restart now.
6. Select Troubleshoot.
7. Go to Advanced options.
8. Select Startup Settings.
9. Click Restart.
10. Press 5 or click 5) Enable Safe Mode with Networking.

How to recover .dark files without paying?

Those infected by ransomware have never had it happen before, hence they often don't know where to start. There are also a lot of assumptions about how ransomware and its encryption process works, a lot of which are not quite correct.

For example, some users believe that their personal files would be reverted to normal as soon as they perform a full system scan with security software. This is not correct at all, as anti-malware is not designed to restore ransomware-locked files – its main goal is to remove infected files from the system to ensure its integrity.

Likewise, some people believe that ransomware-affected data is permanently damaged, which is not true either. There is a chance of restoring it, either by acquiring a unique decryption key (which is in possession of cybercriminals) or by applying alternative methods – waiting for a free decrytpion software to be developed is one of the options. Below you will find links that could be useful to find a decryption tool if such were created in the future:

• No More Ransom Project
• Free Ransomware Decryptors by Kaspersky
• Free Ransomware Decryption Tools from Emsisoft
• Avast decryptors

While it is unlikely to restore all encrypted files using recovery software, it is not impossible. For some users, this option may work very well, while for others – not so much. Nonetheless, we recommend trying it:

Note: Make sure you make backups of locked files before you proceed, or you might corrupt them beyond repair

• Download Data Recovery Pro.
• Double-click the installer to launch it.
  
• Follow on-screen instructions to install the software.
• As soon as you press Finish, you can use the app.
• Select Everything or pick individual folders where you want the files to be recovered from.
• Press Next.
• At the bottom, enable Deep scan and pick which Disks you want to be scanned.
• Press Scan and wait till it is complete.
• You can now pick which folders/files to recover – don't forget you also have the option to search by the file name!
• Press Recover to retrieve your files.

Malware can cause serious damage to Windows systems to the point where a full reinstallation could be required. For example, an infection can alter the Windows registry^[2] database, damage bootup, and other sections, delete or corrupt DLL files,^[3] etc. Antivirus software can't repair damaged files, and a specialized app should be used instead – FortectIntego is one of the best choices out there.