A new ransomware operation called Dark Power has surfaced, targeting organisations around the world and demanding relatively small ransom payments of $10,000. According to a recent report from cybersecurity firm Trellix, the ransomware uses the Nim programming language, making it a niche choice that is unlikely to be detected by defence tools.

shining-light-on-dark-power-4.jpg

Dark Power has already listed its first victims on a dark web data leak site (powerj7kmpzkdhjg4szvcxxgktgk36ezpjxvtosylrpey7svpmrjyuyd.onion, currently offline), and the group is threatening to publish the stolen data if a ransom is not paid within 72 hours.

The ransom note, which is an 8-page PDF document, stands out from other ransomware operations, providing information about what has happened and how to contact the attackers via the qTox messenger.

The group has already targeted ten victims from different countries and claims to have stolen data from their networks, making it another double extortion group.

Indicator of compromise

IOCs
33c5b4c9a6c24729bb10165e34ae1cd2315cfce5763e65167bd58a57fde9a389
11ddebd9b22a3a21be11908feda0ea1e1aa97bc67b2dfefe766fcea467367394

ATT&CK techniques

Execution Defense Evasion Discovery Impact
T1059 Command and Scripting Interpreter T1027 Obfuscated Files or Information T1082 System Information Discovery T1486 Data Encrypted for Impact
T1047 Windows Management Instrumentation T1140 Deobfuscate/Decode Files or Information T1057 Process Discovery T1490 Inhibit System Recovery
  T1070.001 Indicator Removal: Clear Windows Event Logs   T1489 Service Stop