Dark Power Ransomware: A New Threat to the Cyber World

Dark Power Ransomware: A New Threat to the Cyber World
The ransom note (Trellix)

Dark Power is a new ransomware that has been discovered by Trellix, an organization that analyzes cyber threats. According to the report, the ransomware is an opportunistic operation that targets organizations globally, demanding relatively small payments of $10,000. Dark Power's payload is written in Nim, a cross-platform programming language that has several advantages for performance-critical applications like ransomware. Because Nim is not widely used by cybercriminals, it is considered a niche choice that is unlikely to be detected by defense tools.

After execution, the ransomware creates a 64-character long ASCII string for initializing the encryption algorithm with a unique key on each run. The ransomware then terminates specific services and processes on the victim's machine to free up files for encryption and minimize the chances of anything blocking the file-locking process. During this stage, Dark Power also stops the Volume Shadow Copy Service (VSS), data backup services, and anti-malware products in its hardcoded list.

Critical system files, such as DLLs, LIBs, INIs, CDMs, LNKs, BINs, and MSIs, along with Program Files and web browser folders, are excluded from encryption to keep the infected computer operational, allowing the victim to view the ransom note and contact the attackers.

Dark Power's ransom note is an eight-page PDF document containing information about what happened and how to contact the attackers over the qTox messenger. The ransom note stands out among other ransomware operations as it provides detailed information about the attack and instructions for communication.

The ransom note gives victims 72 hours to send $10,000 in XMR (Monero) to the provided wallet address to get a working decryptor. The Dark Power group claims to have stolen data from the networks of the ten victims from the USA, France, Israel, Turkey, the Czech Republic, Algeria, Egypt, and Peru, and threatens to publish them if they don't pay the ransom, making it a double-extortion attack.

Dark Power's victim extortion page is offline at the time of writing, but it's not uncommon for ransomware portals to go offline periodically as negotiations with victims develop.

The Dark Power ransomware gang is a serious threat to everyone, as they are not focused on any specific geographic area or sector. To avoid becoming a victim of such attacks, individuals and organizations must ensure that they have proper backup measures in place and educate themselves and their teams on how to avoid such attacks.

According to MITRE's TTP, Dark Power uses Nim, which is easy to use and has cross-platform capabilities. The ransomware creates a randomized 64-character long ASCII string upon starting to initialize the encryption algorithm. Strings within the ransomware are encrypted to make it harder for defenders to create a generic detection rule. The ransomware also targets specific services and processes to increase the chance of victims paying the ransom.

In conclusion, the Dark Power ransomware is a new and serious threat to the cyber world that individuals and organizations must be aware of to avoid becoming a victim. It is essential to have proper backup measures in place and educate oneself and their teams on how to avoid such attacks.