Threat Analysis Unit

BlackSun Ransomware – The Dark Side of PowerShell

This article was authored by Pavankumar Chaudhari (TAU)


Recently, the VMware Threat Analysis Unit analyzed BlackSun ransomware, a PowerShell-based ransomware. Unlike most other PowerShell-based ransomware it doesn’t download a payload or reflectively load a DLL or EXE into memory.  Looking at the simplicity of code it is unclear if it is used for limited attacks or a proof-of-concept purpose, but it has effective methods that are potentially being used by ransomware.

BlackSun contained the below features:

  • Ability to destroy local and network backups
  • Self-propagation within a local network
  • Start encryption at a specific time
  • Upload ransomware logs at FTP location
  • Clear event logs
  • Split encryption activity into multiple background jobs to speed-up encryption

Behavioral Summary

The execution of BlackSun, shown in Figure 1, shows very limited subprocesses. It will use additional execution of PowerShell for running internal capabilities, as well as the use of net.exe to map network drives.

Figure 1: Process chain showing the execution history of BlackSun

Encryption Routine:

Before starting any activity BlackSun checks if another instance is already running. It checks for presence of PowerShell process with its own script name as command line argument using the code shown in Figure 2.

Figure 2: Code to check if script is already running

BlackSun encrypts files using AES256 algorithm. The AES key is encrypted with X.509 public key certificate, hardcoded in code as shown in Figure 3.

Figure 3: Encryption code

BlackSun splits task into multiple background jobs to speed-up encryption process. The count of jobs is calculated by the number of total files, referenced in Figure 4 as $intTotalCount, and the number of CPU cores, referenced as $intCoresCount.

Figure 4: Code to divide encryption activity into multiple jobs

The malware keeps list of file extension to encrypt hardcoded in an array. The table below notes the file extensions used in the code:

.ldf .bak .exp .FORM .PROG .DATA .edb .FAD .png .bmp
.png .p12 .mdf .wb2 .psd .p7c .p7b .asp .php .incpas
.7z .zip .rar .drf .blend .apj .3ds .dwg .dwl .sda
.pat .pfx .crt .cer .der .fxg .fhd .fh .dxb .drw
.design .ddrw .ddoc .dcs .csl .csh .cpi .cgm .cdx .cdrw
.cdr6 .cdr5 .xlsm .cdr4 .cdr3 .cdr .awg .ait .ai .agd1
.ycbcra .x3f .stx .st8 .st7 .st6 .st5 .st4 .srw .srf
.sr2 .sd1 .sd0 .rwz .rwl .rw2 .raw .raf .ra2 .ptx
.pef .pcd .orf .nwb .nrw .nop .nef .ndd .mrw .xlsb
.mos .mfw .mef .mdc .iiq .gry .grey .gray .fpx .fff
.exf .erf .dng .dcr .dc2 .crw .p12 .xltx .craw .cr2
.cmt .cib .ce2 .ce1 .arw .arw .3pr .3fr .mpg .jpeg
.jpg .mdb .sqlitedb .sqlite3 .sqlite .sql .sdf .sav .sas7bdat .s3db
.rdb .psafe3 .nyf .nx2 .nx1 .nsh .nsg .nsf .nsd .ns4
.ns3 .ns2 .myd .kpdx .kdbx .idx .ibz .ibd .fdb .erbsql
.db3 .dbf .db-journal .cls .bdb .adb .backupdb .bik .xlsx .backup
.bkp .moneywell .mmw .ibank .hbk .ffd .dgc .ddd .dac .cfp
.cdf .bpw .bgt .acr .ac2 .xltm .ab4 .djvu .pdf .sxm
.odf .std .sxd .otg .sti .sxi .otp .odg .odp .stc
.sxc .ots .ods .sxg .stw .sxw .odm .oth .ott .odt
.odb .csv .rtf .accdr .accdt .accde .accdb .sldm .sldx .ppsm
.ppsx .ppam .potm .potx .pptm .pptx .pps .pot .ppt .xlw
.xll .xlam .xla .dotx .docm .docx .dot .doc .xlm .xlt
.xls .dotm


Some folder and files are excluded from encryption. The list of such folders/files is present in code, shown in Figure 5.

Figure 5: List of file/folders to skip

Encrypted files will have a .BlackSun extension. After encryption a ransom note is written in each folder as BlackSun_README.txt. BlackSun will also change the desktop wallpaper of infected systems to an embedded image encoded as Base64 data. After decoding, this wallpaper is created at c:\users\public\pictures\blacksun.jpg. The desktop wallpaper seen in this sample is shown in Figure 6.

Figure 6: Desktop wallpaper and ransom note

Network Propagation:

BlackSun has network propagation functionality which allows it to infect other machines in local network. First, it retrieves IP addresses in the victim’s network using the PowerShell Get-NetNeighbor cmdlet and Get-NetworkRange() function. With each retrieved IP address it sends ping requests using SendPingAsync() function to create list of alive IPs. For each alive host IP it checks if an SMB share is present or not. If present, BlackSun tries to map C$ (Window admin share) using the “net use” command. If command runs more than seven seconds it kills the net.exe process. After successfully mapping it copies itself over network share and executes using Powershell.exe. To execute PowerShell on a remote host it uses the Invoke-WmiMethod cmdlet.

Figure 7: Code for self-propagation

Destroying Backups:

Before starting encryption, BlackSun destroys remote and local backups to prevent victims from being able to recover from encryption.

First, it deletes shadow copies using WMI’s Win32_ShadowCopy class:

Get-WmiObject Win32_Shadowcopy | ForEach-Object { $_.Delete(); }


Next, it executes the “Stop-Service” cmdlet to stop Windows services related to backup, database, and email solutions. The table below contains the names of the Windows Services stopped by BlackSun.

·       Sexch*

·       *Oracle*

·       *outlook*


·       MSSQLServerADHelper100

·       MSSQLServerOLAPService

·       MySQL57

·       OracleClientCache80

·       PDVFSService

·       POP3Svc

·       MSSQLServerADHelper

·       SQLAgent$PROD

·       msftesql$PROD

·       NetMsmqActivator


·       SQLAgent$SOPHOS

·       AVP



·       wbengine

·       mfefire

·       ReportServer$SQL_2008

·       ReportServer$SYSTEM_BGC

·       ReportServer$TPS

·       ReportServer$TPSAMA

·       SAVAdminService

·       SAVService

·       SDRSVC

·       SepMasterService

·       ShMonitor

·       Smcinst

·       SmcService

·       SMTPSvc

·       SQLAgent$BKUPEXEC

·       SQLAgent$ECWDB2






·       SQLAgent$SQL_2008

·       SQLAgent$SYSTEM_BGC

·       SQLAgent$TPS

·       SQLAgent$TPSAMA

·       SQLAgent$VEEAMSQL2008R2

·       SQLAgent$VEEAMSQL2012

·       SQLBrowser

·       SQLSafeOLRService




·       SQLWriter

·       VeeamBackupSvc

·       VeeamBrokerSvc

·       VeeamCatalogSvc

·       VeeamCloudSvc

·       VeeamDeploymentService

·       VeeamDeploySvc

·       VeeamEnterpriseManagerSvc

·       VeeamMountSvc

·       VeeamNFSSvc

·       VeeamRESTSvc

·       VeeamTransportSvc

·       MSSQL$VEEAMSQL2008R2

·       SQLAgent$VEEAMSQL2008R2

·       VeeamHvIntegrationSvc

·       swi_update

·       SQLAgent$CXDB


·       SQL Backups

·       MSSQL$PROD

·       VeeamEndpointBackupSvc

·       Veeam.Archiver.Service

·       Veeam.Archiver.Proxy

·       ManageEngine EventLogAnalyzer 11 – Agent

·       ManageEngineDataSecurityPlus -AgentService

·       MSexch*

BlackSun then destroys local and remote backup database files by overwriting with random data, generated by Windows Crypto APIs. The below code is used to replace data of backups:

Figure 8: Function to overwrite random data

Below is the list to targeted extensions to overwrite:

.backup .tib .tibx .vbk .vib
.vrb .vbm .bco .dem .bkf
.gho .iv2i .bks .gho .vhdx


Exfiltrate Logs

BlackSun creates a record of session activity using the Start-Transcript cmdlet. It logs all commands typed and all the console output in log file called “BlackSun.log”.  This log file is compressed and sent to a remote FTP location using the below function.

Figure 9: Code to compress log and send to FTP location

Clear Event Logs

In its final stages, BlackSun clears all event logs to destroy evidence on a system. It uses the below commands to perform this:

Figure 10: Code to clear all event logs


TID Tactic Description
T1059.003 Execution Command and Scripting Interpreter: Windows Command Shell
T1059.001 Execution Command and Scripting Interpreter: PowerShell
T1047 Execution Windows Management Instrumentation
T1070.001 Defense Evasion Indicator Removal on Host: Clear Windows Event Logs
T1057 Discovery Process Discovery
T1082 Discovery System Information Discovery
T1083 Discovery File and Directory Discovery
T1135 Discovery Network Share Discovery
T1021.002 Lateral Movement Remote Services: SMB/Windows Admin Shares
T1560 Collection Archive Collected Data
T1105 Command and Control Ingress Tool Transfer
T1486 Impact Data Encrypted for Impact
T1489 Impact Service Stop
T1490 Impact Inhibit System Recovery


Indicators of Compromise (IOCs)

Indicator Type Context
e5429f2e44990b3d4e249c566fbf19741e671c0e40b809f87248d9ec9114bef9 SHA256 BlackSun Ransomware
e0afcf804394abd43ad4723a0feb147f10e589cd SHA1 BlackSun Ransomware
3ebab71cb71ca5c475202f401de008c8 MD5 BlackSun Ransomware