Dark Power Ransomware Dissection
Researchers have spotted a new ransomware gang named Dark Power – which has been actively hitting organisations in several countries lately. Starting on January 29, 2023, the Dark Power gang has over 10 victims listed on its dark net website already – waiting to leak their data!
The Dark Power ransomware uses Nim, a relatively new cross-platform programming language with several speed-related advantages – making it apt for ransomware operations and most of defense tools fails to detect it
The modus of operandi still needs to be published. Dark power attacks create a randomized 64-character long ASCII string for starting the encryption process, with a unique key on each execution.
Dark Power to terminate specific services and processes on the victim’s system to free up files for encryption while also deleting the shadow copies of data to make recovery hard later on. This gets even much harder with the ransomware gang wiping out the console and Windows system logs in the process!
Encrypted files are renamed with the “.dark_power” extension, with certain file types like DLLs, LIBs, INIs, CDMs, LNKs, BINs, MSIs etc excluded from encryption to keep the infected system operational and allow the victim to view the ransom note and contact them.
The Dark Power gang stands out with a typical ransom note of an 8-page long PDF – that contains details on how the victim was hacked and instructions on how they should contact them over qTox messenger. The gang gives victims 72 hours to respond and obey their $10,000 ransom in the XMR form, which is affordable and much convincing for victims to pay.
Researchers report that they have seen ten victims from the USA, France, Israel, Turkey, the Czech Republic, Algeria, Egypt, and Peru, so the targeting scope is global.
Trellix notes the victims of the Dark Power gang from all over the world, pushed through the double-extortion method as others in this field.
This research was documented by researchers from Trellix
Indicators of Compromise