Cybersecurity faces a new adversary: Dark Power. This ransomware gang rapidly gains notoriety, employing sophisticated techniques and targeting victims indiscriminately. Discover the inner workings of their malicious software and their double-extortion strategy in this detailed analysis by the Trellix Security Team.
Dark Power’s Nim-based Ransomware
Emerging from obscurity, Nim language now dominates malware creation. Its ease of use and cross-platform capabilities appeal to cybercriminals like Dark Power.
Unique Encryption Keys
The ransomware generates a 64-character ASCII string to initiate the encryption process. The randomization ensures each key’s uniqueness, impeding the development of universal decryption tools.
Strings within the ransomware are encrypted, thwarting attempts at generic detection rules. Decryption employs a fixed key, the SHA-256 hash of a hardcoded string, and varying initialization vectors (IVs).
Disabling Crucial Services
Targeting specific services, Dark Power’s ransomware hinders victims’ recovery efforts. Disabling services like Veeam, Memtas, SQL, and MSSQL frees up files for encryption. Stopping the Volume Shadow Copy Service (VSS) eliminates shadow copies of files.
Distinct from traditional plain text notes, Dark Power leaves PDF ransom notes in every folder it enumerates. Created with Adobe Illustrator 26.0, these notes were last modified on February 9, 2023.
Dark Power employs a two-pronged extortion strategy: encrypting data and threatening to publish stolen information if the ransom isn’t paid.
Data exfiltration is assumed to be manual and occurs before ransomware deployment.
With victims in Algeria, Czech Republic, Egypt, France, Israel, Peru, Turkey, and the USA, Dark Power operates on an international scale. Their targets span diverse sectors, including education, IT, healthcare, manufacturing, and food production.
Dark Power’s ransomware continually evolves, reflecting the gang’s adaptability and persistence. The group’s agile approach to targeting victims and refining their methods demonstrates their commitment to staying ahead of cybersecurity defenses.
Utilizing the Nimcrypto library, Dark Power conducts cryptographic operations with AES CRT. This advanced encryption technique fortifies their malware, making it harder for security researchers to analyze and decrypt affected files.
Infiltration and Attack
The Dark Power ransomware infiltrates victims’ systems through various means, such as phishing emails, exploiting vulnerabilities, or using remote access tools. Once inside the network, the gang manually exfiltrates sensitive data and deploys the ransomware, maximizing their extortion capabilities.
Victim Naming and Shaming
Dark Power maintains a website showcasing non-paying victims and their stolen data. This public exposure adds pressure on the victims to pay the ransom, as their sensitive information is at risk of being leaked or sold to other cybercriminals.
As the Dark Power ransomware gang expands its reach, businesses and organizations must remain vigilant. Implementing robust cybersecurity measures, such as employee training, software updates, and regular backups, is essential in thwarting ransomware attacks and minimizing the impact of these malicious campaigns.
Dark Power Ransomware FAQ
Dark Power is a ransomware gang that uses advanced encryption techniques to lock victims’ data, demanding ransom payments to release the encrypted files. They also threaten to publish stolen information if victims refuse to pay.
Dark Power typically infiltrates victims’ systems through phishing emails, exploiting vulnerabilities, or using remote access tools. Once inside a network, the gang manually exfiltrates sensitive data and deploys the ransomware.
The Nim programming language is a statically typed, compiled programming language that focuses on efficiency, expressiveness, and elegance. Designed by Andreas Rumpf and first appearing in 2008, Nim combines features from various programming languages, such as Python, Ada, and Modula.
Dark Power ransomware is written in the Nim programming language. Nim’s ease of use and cross-platform capabilities make it an appealing choice for malware creators.
Dark Power’s ransomware generates a unique 64-character ASCII string to initiate the encryption process. The ransomware uses the Nimcrypto library for cryptographic operations, employing the AES CRT algorithm for encryption.
Unlike traditional plain text ransom notes, Dark Power leaves PDF ransom notes in every folder it enumerates. These notes are created with Adobe Illustrator 26.0.
Dark Power employs a two-pronged extortion strategy: encrypting victims’ data and threatening to publish stolen information if the ransom isn’t paid. This approach maximizes the gang’s extortion capabilities.
Dark Power operates on an international scale, with victims in Algeria, Czech Republic, Egypt, France, Israel, Peru, Turkey, and the USA. They target various sectors, such as education, IT, healthcare, manufacturing, and food production.
Stay Informed, Stay Secure
Understanding the tactics, techniques, and procedures (TTPs) employed by ransomware gangs like Dark Power is crucial in strengthening cybersecurity defenses.
Stay informed about the latest threats and trends, and prioritize the implementation of proactive security measures to protect your valuable data and systems.