Dark Power Ransomware: A Nim-Programmed Threat 

The Dark Power ransomware, a relatively new ransomware strain, was launched in early February 2023. It is a rare breed of ransomware, as it was written in the Nim programming language. The ransomware targets Microsoft Windows platforms, and its impact is high, as it encrypts files on the compromised machine and demands a ransom for file decryption. 

Infection Vector 

Information on the exact infection vector used by the Dark Power group is not yet available. However, it is not likely to differ significantly from other ransomware groups based on initial research by Trellix

Execution 

Once the Dark Power ransomware is executed, it initializes the encryption algorithm by creating a randomized 64-character long lowercase American Standard Code for Information Interchange (ASCII) string. This string is unique to each targeted machine and is used to initialize the AES Advanced Encryption Standard (AES) counter (CTR) cryptographic algorithm used for encryption. Strings within the ransomware are encrypted to make it harder for defenders to create a generic detection rule. The ransomware uses the Nimcrypto library to carry out cryptographic operations. The strings are present within the binary in a base64 encoded format. Once the encrypted string is decoded, it is decrypted using a fixed key, which is the SHA-256 hash of a hard-coded string. The initialization vector (IV) is also included within the binary, but each decryption call uses a different IV. 

The Dark Power ransomware targets specific services on the victim’s machine and disables them, including backup and anti-malware services. The Volume Shadow Copy Service (VSS) is also stopped to prevent the ransomware from encountering locked files during the encryption process. Processes which often block files are terminated, including Microsoft Office processes such as excel.exe, winword.exe, powerpnt.exe, and visio.exe, as well as specific processes related to database management. 

After killing services, the ransomware sleeps for 30 seconds and executes the Windows command “C:\Windows\system32\cmd.exe /c cls” to clear the console. The ransomware also clears the system logs using a Windows Management Instrumentation (WMI) query. It then begins to encrypt the files which are not filtered out, using AES CRT mode, and renames them with the “.dark_power” extension. 

Ransom Note 

The Dark Power ransom note is a PDF file, created using Adobe Illustrator 26.0. The ransom note demands a payment of $10,000 USD to a Monero blockchain address, with a Tor website (power[redacted].onion) provided for payment and communication. The ransom note also threatens to publish stolen data on its leak site on Tor if the ransom is not paid. The leak site lists 10 companies in various industries from nine countries in North America, Europe, and Africa. The data exfiltration is likely done manually, prior to the deployment of the ransomware. 

Conclusion 

The Dark Power ransomware group operates globally, with claimed victims in Algeria, the Czech Republic, Egypt, France, Israel, Peru, Turkey, and the USA. Victims are advised not to pay the ransom and report the attack to law enforcement agencies and seek assistance from reputable security professionals to recover their files. The adoption of new languages, such as Nim, by malware authors is a trend that isn’t new. Sharing information about these threats helps the community to defend against them.  
 

References: 

  1. https://www.bleepingcomputer.com/news/security/new-dark-power-ransomware-claims-10-victims-in-its-first-month/ 
  1. https://www.fortinet.com/blog/threat-research/dark-power-and-payme100usd-ransomware?&web_view=true 
  1. https://www.trellix.com/en-us/about/newsroom/stories/research/shining-light-on-dark-power.html 

You may also be interested in…

Stay Connected on Today’s Cyber Threat Landscape

  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
  • Hidden
Join us at RSA Conference - booth #449 South!
This is default text for notification bar