Quite modest attackers demand only $10,000 for data decryption.
Trelix recently reported on a new extortion operation known as "Dark Power". The hackers have already marked their first victims on the darknet data breach site and are threatening to release the stolen data unless they receive a ransom.
According to experts, Dark Power is a targeted extortion operation. Victim organizations do not have a clear connection with each other and are located in different countries. The ransom that the attackers demand for decryption and data safety is relatively small and amounts to 10,000 US dollars. The first attack was recorded by specialists at the end of January this year. Since the campaign was not advertised on hacker forums or dark web spaces, it is most likely a private project.
The Dark Power payload was written in Nim, a cross-platform programming language that provides high code performance, making it an ideal candidate for ransomware development. In addition, since Nim is just starting to gain popularity among cybercriminals, it is less likely to be detected by antivirus solutions.
Trellix specialists did not provide details on the method of delivering Dark Power to target computers. This could be an exploit, phishing emails, or other means. When run, the ransomware generates a randomized 64-character ASCII string to initialize the encryption algorithm with a unique key each time it is executed. The program then terminates certain services and processes on the victim's computer to free files for encryption and minimize the chance of them being blocked or the encryption process itself being suspended.
After all necessary processes and services are disabled, the ransomware remains idle for 30 seconds and then clears the Windows console and system logs. This action is probably necessary to complicate the work of data recovery experts. Encryption uses AES (CRT mode) and an ASCII string generated at startup. The resulting encrypted files have the ".dark_power" extension.
In the Wild (ITW), experts discovered two different versions of the Dark Power ransomware at once with slightly different encryption schemes. The first option hashes the ASCII string using the SHA-256 algorithm and then splits the result into two parts, using the first part as the AES key and the second part as the initialization vector (nonce). The second variant of the malware uses SHA-256 as the AES key and a fixed 128-bit value as the encryption nonce.
System-critical files such as DLL, LIB, INI, CDM, LNK, BIN, and MSI, as well as Program Files and web browser folders, are excluded from the encryption process to keep the infected computer stable. So the victim will definitely see the information about the ransom money, and she will have the opportunity to contact the attackers.
The ransom note, which was last edited by cybercriminals on February 9, 2023, gives victims 72 hours to send $10,000 in Monero to a specified wallet address. After that, the hackers promise to send a decryptor. The memo itself stands out quite a bit from other ransomware in its creativity, as it is an eight-page PDF document containing detailed information about what happened and how to contact the attackers via the qTox messenger.
Trellix reports that exactly ten victims were recorded from the United States, France, Israel, Turkey, the Czech Republic, Algeria, Egypt and Peru. All organizations belonged to different fields of activity: education, information technology, health care, manufacturing and food production. There was no clear focus on a specific country or industry.