BTC $57054.0562
ETH $3243.0497
BNB $394.9600
SOL $108.4177
XRP $0.5865
stETH $3239.3493
ADA $0.6239
AVAX $39.2702
DOGE $0.0977
TRX $0.1428
wstETH $3750.7519
DOT $8.3691
LINK $19.0300
WETH $3348.6813
MATIC $1.0282
UNI $10.8579
WBTC $56903.9273
IMX $3.3452
ICP $13.0217
BCH $292.5040
LTC $74.0124
CAKE $3.1570
ETC $28.0992
LEO $4.3640
FIL $7.6578
KAS $0.1689
RNDR $7.2011
DAI $1.0000
ATOM $11.2097
HBAR $0.1082
INJ $40.1071
VET $0.0489
TON $2.1280
OKB $51.4855
FDUSD $0.9985
LDO $3.4670
STX $2.9465
XMR $135.8398
XLM $0.1230
ARB $1.8948
NEAR $3.9608
TIA $17.0031
WEMIX $2.3756
GRT $0.2795
ENS $22.1963
MKR $2154.9330
APEX $2.3329
BTC $57054.0562
ETH $3243.0497
BNB $394.9600
SOL $108.4177
XRP $0.5865
stETH $3239.3493
ADA $0.6239
AVAX $39.2702
DOGE $0.0977
TRX $0.1428
wstETH $3750.7519
DOT $8.3691
LINK $19.0300
WETH $3348.6813
MATIC $1.0282
UNI $10.8579
WBTC $56903.9273
IMX $3.3452
ICP $13.0217
BCH $292.5040
LTC $74.0124
CAKE $3.1570
ETC $28.0992
LEO $4.3640
FIL $7.6578
KAS $0.1689
RNDR $7.2011
DAI $1.0000
ATOM $11.2097
HBAR $0.1082
INJ $40.1071
VET $0.0489
TON $2.1280
OKB $51.4855
FDUSD $0.9985
LDO $3.4670
STX $2.9465
XMR $135.8398
XLM $0.1230
ARB $1.8948
NEAR $3.9608
TIA $17.0031
WEMIX $2.3756
GRT $0.2795
ENS $22.1963
MKR $2154.9330
APEX $2.3329
  • Catalog
  • Blog
  • Tor Relay
  • Jabber
  • One-Time notes
  • Temp Email
  • What is TOR?
  • We are in tor
  • New 'Dark Power' ransomware hits its first dozens of victims

    Quite modest attackers demand only $10,000 for data decryption.

    Trelix recently reported on a new extortion operation known as "Dark Power". The hackers have already marked their first victims on the darknet data breach site and are threatening to release the stolen data unless they receive a ransom.

    According to experts, Dark Power is a targeted extortion operation. Victim organizations do not have a clear connection with each other and are located in different countries. The ransom that the attackers demand for decryption and data safety is relatively small and amounts to 10,000 US dollars. The first attack was recorded by specialists at the end of January this year. Since the campaign was not advertised on hacker forums or dark web spaces, it is most likely a private project.

    The Dark Power payload was written in Nim, a cross-platform programming language that provides high code performance, making it an ideal candidate for ransomware development. In addition, since Nim is just starting to gain popularity among cybercriminals, it is less likely to be detected by antivirus solutions.

    Trellix specialists did not provide details on the method of delivering Dark Power to target computers. This could be an exploit, phishing emails, or other means. When run, the ransomware generates a randomized 64-character ASCII string to initialize the encryption algorithm with a unique key each time it is executed. The program then terminates certain services and processes on the victim's computer to free files for encryption and minimize the chance of them being blocked or the encryption process itself being suspended.

    After all necessary processes and services are disabled, the ransomware remains idle for 30 seconds and then clears the Windows console and system logs. This action is probably necessary to complicate the work of data recovery experts. Encryption uses AES (CRT mode) and an ASCII string generated at startup. The resulting encrypted files have the ".dark_power" extension.

    In the Wild (ITW), experts discovered two different versions of the Dark Power ransomware at once with slightly different encryption schemes. The first option hashes the ASCII string using the SHA-256 algorithm and then splits the result into two parts, using the first part as the AES key and the second part as the initialization vector (nonce). The second variant of the malware uses SHA-256 as the AES key and a fixed 128-bit value as the encryption nonce.

    System-critical files such as DLL, LIB, INI, CDM, LNK, BIN, and MSI, as well as Program Files and web browser folders, are excluded from the encryption process to keep the infected computer stable. So the victim will definitely see the information about the ransom money, and she will have the opportunity to contact the attackers.

    The ransom note, which was last edited by cybercriminals on February 9, 2023, gives victims 72 hours to send $10,000 in Monero to a specified wallet address. After that, the hackers promise to send a decryptor. The memo itself stands out quite a bit from other ransomware in its creativity, as it is an eight-page PDF document containing detailed information about what happened and how to contact the attackers via the qTox messenger.

    Trellix reports that exactly ten victims were recorded from the United States, France, Israel, Turkey, the Czech Republic, Algeria, Egypt and Peru. All organizations belonged to different fields of activity: education, information technology, health care, manufacturing and food production. There was no clear focus on a specific country or industry.

    Author DeepWeb
    Malicious revolution: IcedID changes tactics and becomes even more dangerous
    New HinataBot botnet uses vulnerabilities in network equipment to carry out DDoS attacks

    Comments 0

    Add comment