Dark 101 Ransomware Leverages .NET Binary to Disable Recovery Features

A newly identified ransomware strain known as Dark 101 demonstrates an advanced and destructive approach to disrupting targeted systems, Daily Tech Feed reports.

Researchers observed that the malware begins its infection chain by assessing the execution environment to evade sandboxing and automated analysis tools. It checks the file path and introduces artificial delays if it is not running from an expected directory, hindering dynamic analysis.  

Once satisfied, the malware copies itself into the %Appdata% folder under the trusted name “svchost.exe” to blend in with legitimate Windows processes and bypass endpoint defenses that rely on filename heuristics.

Dark 101 employs multiple techniques to aggressively disable system recovery options and increase pressure on victims. It executes a series of commands including vssadmin delete shadows /all /quiet, wmic shadowcopy delete, and wbadmin delete catalog –quiet to eliminate Volume Shadow copies and Windows Backup catalogs. This effectively cuts off access to previous file versions and system images.  

The ransomware also modifies the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System to set DisableTaskMgr=1, preventing users from launching Task Manager to investigate or kill the malware process.

In addition, Dark 101 uses mutex objects to prevent multiple instances of itself from running and potentially conflicting, and it performs selective directory targeting to prioritize user data over system files.  

Once the system defenses are neutralized, it begins encrypting files in accessible directories, appending random four-character extensions to obscure original file types and complicate recovery.  

Takeaway: Attackers are not just encrypting your files anymore. They are going straight for your ability to recover. Groups like the ones deploying Dark 101 are deliberately targeting backup infrastructure and recovery processes because they know that's what buys them leverage.

They are not guessing. They are executing. Volume Shadow copies, backup catalogs, anything that could help you get back online without paying the ransom gets wiped out early in the attack chain. By the time you see the ransom note, your best hope of recovery has already been deleted.

And now we are seeing attackers go even further, exploiting vulnerabilities in backup solutions like Veeam to escalate privileges, steal credentials, and move laterally across the network. If your tooling cannot see it and stop it there, you are already behind.

Backups are necessary and highly recommended, no question. They are table stakes for disaster recovery and business continuity. But if your ransomware response plan begins and ends with backups, you are playing defense way too late in the game.

Even if backups survive the attack, restoring at scale is a nightmare. You are talking about reimaging hundreds or thousands of endpoints, coordinating across business units, dealing with lost data, and doing it all while under pressure from executives, customers, and the media. That is not a win. That is containment by brute force.

Speed to recovery matters. So does precision. The only real way to win is to catch these attacks before the encryption process kicks off. Look at what Dark 101 is doing. It is checking where it runs, renaming itself to look like a trusted process, issuing system-level commands, modifying registry keys. That is all detectable activity happening early in the chain.

The signal is there. The challenge is building visibility and response capabilities to intercept the attack before impact. Ransomware succeeds when defenders are forced to react instead of proactively disrupting the kill chain.

Halcyon eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.