{
	"id": "c103ce69-5a99-472e-afcb-e37ab2e4d049",
	"created_at": "2026-04-06T00:19:01.004796Z",
	"updated_at": "2026-04-10T03:20:55.906513Z",
	"deleted_at": null,
	"sha1_hash": "7d3cb850a2c1c8eadbe40c12460d66f657cd71fb",
	"title": "BlackSun Ransomware – The Dark Side of PowerShell",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1894610,
	"plain_text": "BlackSun Ransomware – The Dark Side of PowerShell\r\nBy Threat Analysis Unit\r\nPublished: 2022-01-26 · Archived: 2026-04-05 13:26:48 UTC\r\nThis article was authored by Pavankumar Chaudhari (TAU)\r\nSummary\r\nRecently, the VMware Threat Analysis Unit analyzed BlackSun ransomware, a PowerShell-based ransomware.\r\nUnlike most other PowerShell-based ransomware it doesn’t download a payload or reflectively load a DLL or EXE\r\ninto memory.  Looking at the simplicity of code it is unclear if it is used for limited attacks or a proof-of-concept\r\npurpose, but it has effective methods that are potentially being used by ransomware.\r\nBlackSun contained the below features:\r\nAbility to destroy local and network backups\r\nSelf-propagation within a local network\r\nStart encryption at a specific time\r\nUpload ransomware logs at FTP location\r\nClear event logs\r\nSplit encryption activity into multiple background jobs to speed-up encryption\r\nBehavioral Summary\r\nThe execution of BlackSun, shown in Figure 1, shows very limited subprocesses. It will use additional execution of\r\nPowerShell for running internal capabilities, as well as the use of net.exe to map network drives.\r\nhttps://blogs.vmware.com/security/2022/01/blacksun-ransomware-the-dark-side-of-powershell.html\r\nPage 1 of 10\n\nFigure 1: Process chain showing the execution history of BlackSun\r\nEncryption Routine:\r\nBefore starting any activity BlackSun checks if another instance is already running. It checks for presence of\r\nPowerShell process with its own script name as command line argument using the code shown in Figure 2.\r\nFigure 2: Code to check if script is already running\r\nBlackSun encrypts files using AES256 algorithm. The AES key is encrypted with X.509 public key certificate,\r\nhardcoded in code as shown in Figure 3.\r\nhttps://blogs.vmware.com/security/2022/01/blacksun-ransomware-the-dark-side-of-powershell.html\r\nPage 2 of 10\n\nFigure 3: Encryption code\r\nBlackSun splits task into multiple background jobs to speed-up encryption process. The count of jobs is calculated\r\nby the number of total files, referenced in Figure 4 as $intTotalCount, and the number of CPU cores, referenced as\r\n$intCoresCount.\r\nFigure 4: Code to divide encryption activity into multiple jobs\r\nhttps://blogs.vmware.com/security/2022/01/blacksun-ransomware-the-dark-side-of-powershell.html\r\nPage 3 of 10\n\nThe malware keeps list of file extension to encrypt hardcoded in an array. The table below notes the file extensions\r\nused in the code:\r\n.ldf .bak .exp .FORM .PROG .DATA .edb .FAD .png .bmp\r\n.png .p12 .mdf .wb2 .psd .p7c .p7b .asp .php .incpas\r\n.7z .zip .rar .drf .blend .apj .3ds .dwg .dwl .sda\r\n.pat .pfx .crt .cer .der .fxg .fhd .fh .dxb .drw\r\n.design .ddrw .ddoc .dcs .csl .csh .cpi .cgm .cdx .cdrw\r\n.cdr6 .cdr5 .xlsm .cdr4 .cdr3 .cdr .awg .ait .ai .agd1\r\n.ycbcra .x3f .stx .st8 .st7 .st6 .st5 .st4 .srw .srf\r\n.sr2 .sd1 .sd0 .rwz .rwl .rw2 .raw .raf .ra2 .ptx\r\n.pef .pcd .orf .nwb .nrw .nop .nef .ndd .mrw .xlsb\r\n.mos .mfw .mef .mdc .iiq .gry .grey .gray .fpx .fff\r\n.exf .erf .dng .dcr .dc2 .crw .p12 .xltx .craw .cr2\r\n.cmt .cib .ce2 .ce1 .arw .arw .3pr .3fr .mpg .jpeg\r\n.jpg .mdb .sqlitedb .sqlite3 .sqlite .sql .sdf .sav .sas7bdat .s3db\r\n.rdb .psafe3 .nyf .nx2 .nx1 .nsh .nsg .nsf .nsd .ns4\r\n.ns3 .ns2 .myd .kpdx .kdbx .idx .ibz .ibd .fdb .erbsql\r\n.db3 .dbf\r\n.db-journal\r\n.cls .bdb .adb .backupdb .bik .xlsx .backup\r\n.bkp .moneywell .mmw .ibank .hbk .ffd .dgc .ddd .dac .cfp\r\n.cdf .bpw .bgt .acr .ac2 .xltm .ab4 .djvu .pdf .sxm\r\n.odf .std .sxd .otg .sti .sxi .otp .odg .odp .stc\r\n.sxc .ots .ods .sxg .stw .sxw .odm .oth .ott .odt\r\n.odb .csv .rtf .accdr .accdt .accde .accdb .sldm .sldx .ppsm\r\n.ppsx .ppam .potm .potx .pptm .pptx .pps .pot .ppt .xlw\r\n.xll .xlam .xla .dotx .docm .docx .dot .doc .xlm .xlt\r\n.xls .dotm\r\nhttps://blogs.vmware.com/security/2022/01/blacksun-ransomware-the-dark-side-of-powershell.html\r\nPage 4 of 10\n\nSome folder and files are excluded from encryption. The list of such folders/files is present in code, shown in Figure\r\n5.\r\nFigure 5: List of file/folders to skip\r\nEncrypted files will have a .BlackSun extension. After encryption a ransom note is written in each folder as\r\nBlackSun_README.txt. BlackSun will also change the desktop wallpaper of infected systems to an embedded\r\nimage encoded as Base64 data. After decoding, this wallpaper is created at c:\\users\\public\\pictures\\blacksun.jpg.\r\nThe desktop wallpaper seen in this sample is shown in Figure 6.\r\nFigure 6: Desktop wallpaper and ransom note\r\nNetwork Propagation:\r\nBlackSun has network propagation functionality which allows it to infect other machines in local network. First, it\r\nretrieves IP addresses in the victim’s network using the PowerShell Get-NetNeighbor cmdlet and Get-NetworkRange() function. With each retrieved IP address it sends ping requests using SendPingAsync() function to\r\ncreate list of alive IPs. For each alive host IP it checks if an SMB share is present or not. If present, BlackSun tries\r\nto map C$ (Window admin share) using the “net use” command. If command runs more than seven seconds it kills\r\nthe net.exe process. After successfully mapping it copies itself over network share and executes using\r\nPowershell.exe. To execute PowerShell on a remote host it uses the Invoke-WmiMethod cmdlet.\r\nhttps://blogs.vmware.com/security/2022/01/blacksun-ransomware-the-dark-side-of-powershell.html\r\nPage 5 of 10\n\nFigure 7: Code for self-propagation\r\nDestroying Backups:\r\nBefore starting encryption, BlackSun destroys remote and local backups to prevent victims from being able to\r\nrecover from encryption.\r\nFirst, it deletes shadow copies using WMI’s Win32_ShadowCopy class:\r\nGet-WmiObject Win32_Shadowcopy | ForEach-Object { $_.Delete(); }\r\nNext, it executes the “Stop-Service” cmdlet to stop Windows services related to backup, database, and email\r\nsolutions. The table below contains the names of the Windows Services stopped by BlackSun.\r\n·       Sexch*\r\n·       *Oracle*\r\n·       *outlook*\r\n·       MSSQLSERVER\r\n·      \r\nMSSQLServerADHelper100\r\n·      \r\nMSSQLServerOLAPService\r\n·       MySQL57\r\n·       OracleClientCache80\r\n·       PDVFSService\r\n·       SAVService\r\n·       SDRSVC\r\n·       SepMasterService\r\n·       ShMonitor\r\n·       Smcinst\r\n·       SmcService\r\n·       SMTPSvc\r\n·       SQLAgent$BKUPEXEC\r\n·       SQLAgent$ECWDB2\r\n·       SQLAgent$PRACTTICEBGC\r\n·       VeeamBackupSvc\r\n·       VeeamBrokerSvc\r\n·       VeeamCatalogSvc\r\n·       VeeamCloudSvc\r\n·       VeeamDeploymentService\r\n·       VeeamDeploySvc\r\n·       VeeamEnterpriseManagerSvc\r\n·       VeeamMountSvc\r\n·       VeeamNFSSvc\r\n·       VeeamRESTSvc\r\nhttps://blogs.vmware.com/security/2022/01/blacksun-ransomware-the-dark-side-of-powershell.html\r\nPage 6 of 10\n\n·       POP3Svc\r\n·       MSSQLServerADHelper\r\n·       SQLAgent$PROD\r\n·       msftesql$PROD\r\n·       NetMsmqActivator\r\n·       MSSQL$SOPHOS\r\n·       SQLAgent$SOPHOS\r\n·       AVP\r\n·       MSSQL$SQLEXPRESS\r\n·      \r\nSQLAgent$SQLEXPRESS\r\n·       wbengine\r\n·       mfefire\r\n·       ReportServer$SQL_2008\r\n·      \r\nReportServer$SYSTEM_BGC\r\n·       ReportServer$TPS\r\n·       ReportServer$TPSAMA\r\n·       SAVAdminService\r\n·       SQLAgent$PRACTTICEMGT\r\n·      \r\nSQLAgent$PROFXENGAGEMENT\r\n·      \r\nSQLAgent$SBSMONITORING\r\n·       SQLAgent$SHAREPOINT\r\n·       SQLAgent$SQL_2008\r\n·       SQLAgent$SYSTEM_BGC\r\n·       SQLAgent$TPS\r\n·       SQLAgent$TPSAMA\r\n·      \r\nSQLAgent$VEEAMSQL2008R2\r\n·       SQLAgent$VEEAMSQL2012\r\n·       SQLBrowser\r\n·       SQLSafeOLRService\r\n·       SQLSERVERAGENT\r\n·       SQLTELEMETRY\r\n·       SQLTELEMETRY$ECWDB2\r\n·       SQLWriter\r\n·       VeeamTransportSvc\r\n·       MSSQL$VEEAMSQL2008R2\r\n·      \r\nSQLAgent$VEEAMSQL2008R2\r\n·       VeeamHvIntegrationSvc\r\n·       swi_update\r\n·       SQLAgent$CXDB\r\n·      \r\nSQLAgent$CITRIX_METAFRAME\r\n·       SQL Backups\r\n·       MSSQL$PROD\r\n·       VeeamEndpointBackupSvc\r\n·       Veeam.Archiver.Service\r\n·       Veeam.Archiver.Proxy\r\n·       ManageEngine\r\nEventLogAnalyzer 11 – Agent\r\n·      \r\nManageEngineDataSecurityPlus -\r\nAgentService\r\n·       MSexch*\r\nBlackSun then destroys local and remote backup database files by overwriting with random data, generated by\r\nWindows Crypto APIs. The below code is used to replace data of backups:\r\nhttps://blogs.vmware.com/security/2022/01/blacksun-ransomware-the-dark-side-of-powershell.html\r\nPage 7 of 10\n\nFigure 8: Function to overwrite random data\r\nBelow is the list to targeted extensions to overwrite:\r\n.backup .tib .tibx .vbk .vib\r\n.vrb .vbm .bco .dem .bkf\r\n.gho .iv2i .bks .gho .vhdx\r\nExfiltrate Logs\r\nBlackSun creates a record of session activity using the Start-Transcript cmdlet. It logs all commands typed and all\r\nthe console output in log file called “BlackSun.log”.  This log file is compressed and sent to a remote FTP location\r\nusing the below function.\r\nFigure 9: Code to compress log and send to FTP location\r\nClear Event Logs\r\nhttps://blogs.vmware.com/security/2022/01/blacksun-ransomware-the-dark-side-of-powershell.html\r\nPage 8 of 10\n\nIn its final stages, BlackSun clears all event logs to destroy evidence on a system. It uses the below commands to\r\nperform this:\r\nFigure 10: Code to clear all event logs\r\nMITRE ATT\u0026CK TIDs\r\nTID Tactic Description\r\nT1059.003 Execution Command and Scripting Interpreter: Windows Command Shell\r\nT1059.001 Execution Command and Scripting Interpreter: PowerShell\r\nT1047 Execution Windows Management Instrumentation\r\nT1070.001 Defense Evasion Indicator Removal on Host: Clear Windows Event Logs\r\nT1057 Discovery Process Discovery\r\nT1082 Discovery System Information Discovery\r\nT1083 Discovery File and Directory Discovery\r\nT1135 Discovery Network Share Discovery\r\nT1021.002 Lateral Movement Remote Services: SMB/Windows Admin Shares\r\nT1560 Collection Archive Collected Data\r\nT1105 Command and Control Ingress Tool Transfer\r\nT1486 Impact Data Encrypted for Impact\r\nT1489 Impact Service Stop\r\nT1490 Impact Inhibit System Recovery\r\nIndicators of Compromise (IOCs)\r\nIndicator Type Context\r\ne5429f2e44990b3d4e249c566fbf19741e671c0e40b809f87248d9ec9114bef9 SHA256\r\nBlackSun\r\nRansomware\r\ne0afcf804394abd43ad4723a0feb147f10e589cd SHA1\r\nBlackSun\r\nRansomware\r\nhttps://blogs.vmware.com/security/2022/01/blacksun-ransomware-the-dark-side-of-powershell.html\r\nPage 9 of 10\n\n3ebab71cb71ca5c475202f401de008c8 MD5\r\nBlackSun\r\nRansomware\r\nSource: https://blogs.vmware.com/security/2022/01/blacksun-ransomware-the-dark-side-of-powershell.html\r\nhttps://blogs.vmware.com/security/2022/01/blacksun-ransomware-the-dark-side-of-powershell.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.vmware.com/security/2022/01/blacksun-ransomware-the-dark-side-of-powershell.html"
	],
	"report_names": [
		"blacksun-ransomware-the-dark-side-of-powershell.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434741,
	"ts_updated_at": 1775791255,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/7d3cb850a2c1c8eadbe40c12460d66f657cd71fb.pdf",
		"text": "https://archive.orkl.eu/7d3cb850a2c1c8eadbe40c12460d66f657cd71fb.txt",
		"img": "https://archive.orkl.eu/7d3cb850a2c1c8eadbe40c12460d66f657cd71fb.jpg"
	}
}