Dark Power Ransomware Dissection

Researchers have spotted a new ransomware gang named Dark Power – which has been actively hitting organisations in several countries lately. Starting on January 29, 2023, the Dark Power gang has over 10 victims listed on its dark net website already – waiting to leak their data!

The Dark Power ransomware uses Nim, a relatively new cross-platform programming language with several speed-related advantages – making it apt for ransomware operations and most of defense tools fails to detect it

The modus of operandi still needs to be published. Dark power attacks create a randomized 64-character long ASCII string for starting the encryption process, with a unique key on each execution.

Advertisements

Dark Power to terminate specific services and processes on the victim’s system to free up files for encryption while also deleting the shadow copies of data to make recovery hard later on. This gets even much harder with the ransomware gang wiping out the console and Windows system logs in the process!

Encrypted files are renamed with the “.dark_power” extension, with certain file types like DLLs, LIBs, INIs, CDMs, LNKs, BINs, MSIs etc excluded from encryption to keep the infected system operational and allow the victim to view the ransom note and contact them.

The Dark Power gang stands out with a typical ransom note of an 8-page long PDF – that contains details on how the victim was hacked and instructions on how they should contact them over qTox messenger. The gang gives victims 72 hours to respond and obey their $10,000 ransom in the XMR form, which is affordable and much convincing for victims to pay.

Researchers report that they have seen ten victims from the USA, France, Israel, Turkey, the Czech Republic, Algeria, Egypt, and Peru, so the targeting scope is global.