New ransomware, dubbed Dark Power, has surfaced on the threat landscape and is trying to make a name for itself. According to researchers, the ransomware is active in the wild since February and has already breached 10 organizations in less than a month’s time. Moreover, it engages in the classic double extortion scheme to threaten its victims.
More about Dark Power
Researchers at Trellix note that the ransomware is written in Nim, a cross-platform language that has become more prevalent among malware authors.
- There are two versions of the ransomware circulated in the wild, each with a different encryption key and format.
- While the first variant uses the SHA-256 algorithm, the second variant uses SHA-256 and a fixed 128-bit to encrypt data and files.
- This opportunistic ransomware is operating on a global scale, with victims in Algeria, the Czech Republic, Egypt, France, Israel, Peru, Turkey, and the U.S.
- The targeted organizations are from the education, IT, healthcare, manufacturing, and food production sectors.
Modus Operandi
- Upon execution, the ransomware creates a random 64-character long ASCII string which is unique for each targeted system and is used when generating a decryption tool.
- Next, it terminates specific services and processes on the victim’s machine to speed up the encryption process.
- The encrypted files are renamed with the ‘.dark_power’ extension.
- System-critical files such as DLLs, LIBs, INIs, CDMs, LNKs, BINs and MSIs, program files, and web browser folders are excluded from encryption so that the infected system remains operational.
Unique ransom note
Dark Power’s ransom note stands out compared to other ransomware operations.
- Unlike the usual plain text ransom note, the ransomware shares a ransom note in PDF format.
- The ransomware note gives victims 72 hours to send $10,000 in XMR to the provided wallet to receive a working decryptor.
Conclusion
The language chosen by malware authors shows that attackers are upscaling their defense approaches to expand their malicious activities. As Dark Power ransomware aggressively targets organizations worldwide, it is recommended to have the right security posture in place to beat the attack in the initial stage. Additionally, IOCs that include signatures, hashes, and malicious URLs can be leveraged to understand the ransomware attack pattern.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_377739694.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/19d2_shutterstock_240941041.jpg)
