A new ransomware operation called “Dark Power” has emerged, targeting organizations worldwide and demanding relatively small ransom payments of $10,000. The group’s encryptor was compiled on January 29, 2023. It has already listed ten victims on a dark web data leak site. The group threatens to publish the data online in case of unpaid ransom.
Dark Power has not been on any hacker forums or dark web spaces yet. It is indicating that it may be a private project. According to Trellix, which analyzed the operation, this is an opportunistic ransomware group that targets organizations worldwide.
The payload of Dark Power was written in Nim. A cross-platform programming language with several speed-related advantages, making it suitable for performance-critical applications like ransomware. This programming language is only now starting to become more popular among cybercriminals. It makes it a niche choice unlikely to be detected by defense tools.
Unknown infection point of dark power
Dark Power’s infection point is not known, but it could be an exploit, phishing emails, or other means. Upon execution, the ransomware creates a randomized 64-character long ASCII string. It is for initializing the encryption algorithm with a unique key on each execution.
The ransomware also terminates specific services and processes on the victim’s machine. To free up files for encryption and minimize the chances of anything blocking the file-locking process. During that stage, the ransomware also stops the Volume Shadow Copy Service (VSS). Also stops data backup services, and anti-malware products in its hardcoded list.
The encryption uses AES (CRT mode) and the ASCII string generated upon launch. The resulting files are given rename with the “.dark_power” extension. Interestingly, two versions of the ransomware circulated in the wild, each with a different encryption key scheme.
System-critical files like DLLs, LIBs, INIs, CDMs, LNKs, BINs, and MSIs, & the Program Files and web browser folders. They are not from encryption to keep the infected computer operational. It allows the victim to view the ransom note and contact the attackers.
The ransom note and victims
The ransom note, an 8-page PDF document last modified on February 9, 2023. It gives victims 72 hours to send $10,000 in XMR (Monero) to the provided wallet address to get a working decryptor. Dark Power’s ransom note stands out compared to other ransomware operations. It contains information about what happened and how to contact the attackers over the qTox messenger.
At the time of writing, the Tor site of Dark Power was offline. But it is not uncommon for ransomware portals to go offline periodically as negotiations with victims develop. Trellix has seen ten victims from the USA, France, Israel, Turkey, the Czech Republic, Algeria, Egypt, and Peru. So the targeting scope is global.
The Dark Power group claims to have stolen data from the networks of these organizations and threatens to publish them. Making it another double-extortion group.