BTC $63479.2080
ETH $3102.3210
BNB $553.9303
SOL $138.6944
stETH $3095.0573
XRP $0.4977
DOGE $0.1616
TON $6.5573
ADA $0.4609
AVAX $35.1800
wstETH $3604.0886
WBTC $63444.7835
TRX $0.1115
WETH $3097.1785
BCH $508.1534
DOT $6.7139
LINK $13.5848
MATIC $0.7078
UNI $7.2517
LTC $78.0969
ICP $12.3388
DAI $0.9999
CAKE $2.7613
RNDR $8.2936
FDUSD $0.9976
IMX $1.9531
ETC $26.4901
STX $2.5389
MNT $1.1217
TAO $525.3353
OKB $57.6303
FIL $6.0159
NEAR $5.2270
VET $0.0414
MKR $3079.1039
HBAR $0.0795
KAS $0.1206
WIF $2.7619
ATOM $8.1379
GRT $0.2535
CORE $2.6998
USDE $0.9998
XMR $123.1697
FET $2.0557
INJ $24.4523
XLM $0.1076
PEPE $0.0000
BTC $63479.2080
ETH $3102.3210
BNB $553.9303
SOL $138.6944
stETH $3095.0573
XRP $0.4977
DOGE $0.1616
TON $6.5573
ADA $0.4609
AVAX $35.1800
wstETH $3604.0886
WBTC $63444.7835
TRX $0.1115
WETH $3097.1785
BCH $508.1534
DOT $6.7139
LINK $13.5848
MATIC $0.7078
UNI $7.2517
LTC $78.0969
ICP $12.3388
DAI $0.9999
CAKE $2.7613
RNDR $8.2936
FDUSD $0.9976
IMX $1.9531
ETC $26.4901
STX $2.5389
MNT $1.1217
TAO $525.3353
OKB $57.6303
FIL $6.0159
NEAR $5.2270
VET $0.0414
MKR $3079.1039
HBAR $0.0795
KAS $0.1206
WIF $2.7619
ATOM $8.1379
GRT $0.2535
CORE $2.6998
USDE $0.9998
XMR $123.1697
FET $2.0557
INJ $24.4523
XLM $0.1076
PEPE $0.0000
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • New 'Dark Power' ransomware hits its first dozens of victims

    Quite modest attackers demand only $10,000 for data decryption.

    Trelix recently reported on a new extortion operation known as "Dark Power". The hackers have already marked their first victims on the darknet data breach site and are threatening to release the stolen data unless they receive a ransom.

    According to experts, Dark Power is a targeted extortion operation. Victim organizations do not have a clear connection with each other and are located in different countries. The ransom that the attackers demand for decryption and data safety is relatively small and amounts to 10,000 US dollars. The first attack was recorded by specialists at the end of January this year. Since the campaign was not advertised on hacker forums or dark web spaces, it is most likely a private project.

    The Dark Power payload was written in Nim, a cross-platform programming language that provides high code performance, making it an ideal candidate for ransomware development. In addition, since Nim is just starting to gain popularity among cybercriminals, it is less likely to be detected by antivirus solutions.

    Trellix specialists did not provide details on the method of delivering Dark Power to target computers. This could be an exploit, phishing emails, or other means. When run, the ransomware generates a randomized 64-character ASCII string to initialize the encryption algorithm with a unique key each time it is executed. The program then terminates certain services and processes on the victim's computer to free files for encryption and minimize the chance of them being blocked or the encryption process itself being suspended.

    After all necessary processes and services are disabled, the ransomware remains idle for 30 seconds and then clears the Windows console and system logs. This action is probably necessary to complicate the work of data recovery experts. Encryption uses AES (CRT mode) and an ASCII string generated at startup. The resulting encrypted files have the ".dark_power" extension.

    In the Wild (ITW), experts discovered two different versions of the Dark Power ransomware at once with slightly different encryption schemes. The first option hashes the ASCII string using the SHA-256 algorithm and then splits the result into two parts, using the first part as the AES key and the second part as the initialization vector (nonce). The second variant of the malware uses SHA-256 as the AES key and a fixed 128-bit value as the encryption nonce.

    System-critical files such as DLL, LIB, INI, CDM, LNK, BIN, and MSI, as well as Program Files and web browser folders, are excluded from the encryption process to keep the infected computer stable. So the victim will definitely see the information about the ransom money, and she will have the opportunity to contact the attackers.

    The ransom note, which was last edited by cybercriminals on February 9, 2023, gives victims 72 hours to send $10,000 in Monero to a specified wallet address. After that, the hackers promise to send a decryptor. The memo itself stands out quite a bit from other ransomware in its creativity, as it is an eight-page PDF document containing detailed information about what happened and how to contact the attackers via the qTox messenger.

    Trellix reports that exactly ten victims were recorded from the United States, France, Israel, Turkey, the Czech Republic, Algeria, Egypt and Peru. All organizations belonged to different fields of activity: education, information technology, health care, manufacturing and food production. There was no clear focus on a specific country or industry.

    Author DeepWeb
    Malicious revolution: IcedID changes tactics and becomes even more dangerous
    New HinataBot botnet uses vulnerabilities in network equipment to carry out DDoS attacks

    Comments 0

    Add comment