A new ransomware operation called Dark Power has appeared and has already listed its first victims on a dark web data leak site, threatening to publish the data if a ransom is not paid.
The ransomware gang’s cryptocurrency has a build date of January 29th, when the attacks started. Furthermore, the operation has not yet been promoted on any hacker forums or dark web spaces, so it is likely a private project.
Once all services are killed, the ransomware hibernates for 30 seconds and clears the Windows console and system logs to prevent analysis by data recovery experts. Encryption uses AES (CRT mode) and the ASCII string generated at startup. The resulting files are renamed with the .dark_power extension.
Interestingly, two versions of the ransomware were circulating freely, each with a different encryption key scheme. The first variant hashes the ASCII string with the SHA-256 algorithm and then splits the result into two halves, using the first as the AES key and the second as the initialization vector (nonce). The second variant uses the SHA-256 digest as the AES key and a fixed 128-bit value as the encryption nonce.
Critical system files such as DLLs, LIBs, INIs, CDMs, LNKs, BINs and MSIs, as well as program files and web browser folders, are excluded from encryption to keep the infected computer operational, thus allowing the victim to see the rescue observe and contact the attackers.
The ransom note, which was last modified on February 9, gives victims 72 hours to send $10,000 in XMR cryptocurrency (Monero) to the provided wallet address to obtain a working decryptor.
Dark Power’s ransom note stands out compared to other ransomware operations as it is an eight-page PDF document containing information about what happened and how to contact them via qTox messenger.
Trellix reports having identified ten victims from the US, France, Israel, Turkey, Czech Republic, Algeria, Egypt and Peru, so the scope of the target is global. The Dark Power group claims to have stolen data from these organizations’ networks and threatens to publish it if they don’t pay the ransom, so it’s yet another double extortion group.
Source: CisoAdvisor